The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country.
The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain.
“Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file ‘weblinks.cmd’ to the victim’s computer,” CERT-UA said, attributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE).
“When a CMD file is run, several decoy web pages will be opened, .bat and .vbs files will be created, and a VBS file will be launched, which in turn will execute the BAT file.”
The next phase of the attack involves running the “whoami” command on the compromised host and exfiltrating the information, alongside downloading the TOR hidden service to route malicious traffic.
Persistence is achieved by means of a scheduled task and remote command execution is implemented using cURL through a legitimate service called webhook.site, which was recently disclosed as used by a threat actor known as Dark Pink.
CERT-UA said the attack was ultimately unsuccessful owing to the fact that access to Mocky and the Windows Script Host (wscript.exe) was restricted. It’s worth noting that APT28 has been linked to the use of Mocky APIs in the past.
Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security
Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
The disclosure comes amid continued phishing attacks targeting Ukraine, some of which have been observed leveraging an off-the-shelf malware obfuscation engine named ScruptCrypt to distribute AsyncRAT.
Another cyber assault mounted by GhostWriter (aka UAC-0057 or UNC1151) is said to have weaponized a recently disclosed zero-day flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike, the agency said.