June 7, 2023

Researchers have reported that the Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides CERT-UA warns.

The APT28 group (aka Fancy Bear) has been active since at least 2007, and it has targeted governments, militaries, and security organizations worldwide by spear phishing campaigns

CERT-UA observed the campaign in April 2023, the malicious e-mails with the subject “Windows Update” were crafted to appear as sent by system administrators of departments of multiple government bodies. The threat actors sent the messages from e-mail addresses created on the public service “@outlook.com.

Advertisements

The attackers used @outlook.com email addresses using real employee names that were previously obtained in a reconnaissance phase. The content of the messages attempts to trick recipients into launching a command line and executing a PowerShell command.

Upon executing the command, it downloads a PowerShell script on the computer that simulates a Windows updating process while downloading another PowerShell script in the background.

This second-stage payload abuses the ‘tasklist’ and ‘systeminfo’ commands to gather system information and send them to a Mocky service API via an HTTP request.

The CERT-UA recommends restricting the ability of users to launch PowerShell and monitor network connections to the Mocky service API.

Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: