A Compromised Ministry of Defense Account Spreads Info-Stealer in Ukraine
A Compromised Ministry of Defense Account Spreads Info-Stealer in Ukraine
Category: Threat Actor Activity | Industry: Military | Level: Tactical | Source: CERT-UA
Ukraine’s Computer Emergency Response Team (CERT-UA) issued an advisory of phishing messages being sent from a compromised Ukrainian Ministry of Defense email account to users of the 'DELTA' military situational awareness program. Emails and instant messages sent to users falsely inform users to update certificates for the 'DELTA' system. Messages contain a zip file housing an executable file named "certificates_rootCA.exe" that is protected with VMProtect to hinder reverse engineering efforts. When the executable is executed, prompts spawn to mimic the certificate update process while DLL files for information-stealing malware 'FateGrab' and 'StealDeal' are downloaded. StealDeal collects data from the victim's browsers and FateGrab targets files with the following file extensions: '.txt', '.rtf', '. xls', '.xlsx', '.ods', '.cmd', '.pdf', '.vbs', '.ps1', '.one', '.kdb', '.kdbx', '. doc', '.docx', '.odt', '.eml', '.msg', '.email'.
Anvilogic Use Cases:
- Compressed File Execution
- Executable File Written to Disk
- Suspicious File written to Disk
.svg)
