APT 28 Uses Fake Windows Updates

Researchers have reported that the Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides CERT-UA warns.

The APT28 group (aka Fancy Bear) has been active since at least 2007, and it has targeted governments, militaries, and security organizations worldwide by spear phishing campaigns

CERT-UA observed the campaign in April 2023, the malicious e-mails with the subject “Windows Update” were crafted to appear as sent by system administrators of departments of multiple government bodies. The threat actors sent the messages from e-mail addresses created on the public service “@outlook.com.

The attackers used @outlook.com email addresses using real employee names that were previously obtained in a reconnaissance phase. The content of the messages attempts to trick recipients into launching a command line and executing a PowerShell command.

Upon executing the command, it downloads a PowerShell script on the computer that simulates a Windows updating process while downloading another PowerShell script in the background.

This second-stage payload abuses the ‘tasklist’ and ‘systeminfo’ commands to gather system information and send them to a Mocky service API via an HTTP request.

The CERT-UA recommends restricting the ability of users to launch PowerShell and monitor network connections to the Mocky service API.