Over the course of an ongoing cyber war, Russia-linked hacking collectives are looking for new ways to cripple the Ukrainian organizations in the cyber domain. On May 6, 2022, CERT-UA issued an alert warning of yet another phishing attack targeting Ukrainian state bodies. The cyber-attack has been attributed to the malicious activity of notorious Russian state-sponsored threat actors identified as APT28 (aka Fancy Bear APT) also tracked as UAC-0028.
The latest cyber-attack involved email spoofing with threat actors masquerading their message as a security heads-up from CERT-UA. Adversaries aimed to trick the victims into opening a malicious password-protected RAR archive attached to the email that triggered an infection chain. When opened, the latter contained an SFX file that, in turn, led to deploying malicious software called CredoMap_v2, the updated version of an info stealer. The utilized malware applies the HTTP protocol for data exfiltration, which enables sending stolen credentials to a web resource deployed in the open-source Pipedream platform.
According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), the APT28/UAC-0028 hacking group has also been spotted behind a series of cyber-attacks on Ukraine’s critical infrastructure in March 2022.
In other cyber-attacks by the APT28 hacking group, threat actors were observed targeting European government entities and military institutions. They applied similar attack vectors, including phishing emails that dropped malware strains after enabling a malicious macro. Earlier, attackers were also spotted in a cyber espionage campaign distributing the notorious Zebrocy trojan and Cannon malware via emails that used the trending topic related to the catastrophe of Lion Air Boeing 737 as phishing bait.
To minimize the risks of infection spread by malicious software, CERT-UA strongly recommends keeping a close eye on emails with password-protected attachments and those related to the most up-to-date and newsworthy topics that can serve as phishing lures aimed to compromise the victims by opening the files within. Organizations should apply the software restriction policies that enable blocking EXE files through the corresponding OS settings and security measures.
To ensure proactive detection of the malicious activity associated with APT28, including the latest CredoMap_v2 campaign, the SOC Prime Team has developed a set of dedicated Sigma rules:
Sign up for the SOC Prime’s Detection as Code platform to obtain all content related to the recent APT28 campaign against Ukraine or perform a custom search leveraging a #UAC-0028 tag to reveal other related detections.
Detection engineers can also easily hunt for threats associated with the malicious activity of UAC-0028 in the spotlight with a dedicated Quick Hunt module of the platform.
For an in-depth context behind the most recent phishing cyber-attack by APT28/UAC-0028 targeting Ukraine, the above-referenced detection algorithms are aligned with the MITRE ATT&CK framework addressing the appropriate tactics and techniques:
Obfuscated Files or Information (T1027)
Command and Scripting Interpreter (T1059)
User Execution (T1204)
Credentials from Password Stores (T1555)