Russian-backed malware group spoofs pro-Ukrainian apps, Google says


“All war is based on deception,” Sun Tzu wrote in The art of War. Some 2,500 years later, the maxim applies to the virtual battlefield as well as the physical field.

As the war in Ukraine rages on, Google researchers have discovered malware from a Russian state-backed group disguised as a pro-Ukrainian app. The details were revealed in a blog post published by Google’s Threat Analysis Group (TAG), which specializes in tracking and exposing state-sponsored hacking.

According to TAG, the Cyber ​​Azov app – which invokes Ukraine’s far-right military unit, the Azov Regiment – was actually created by Turla, a Kremlin-backed hacking group known for compromising European organizations. and Americans with malware.

Screenshot taken from Cyber ​​Azov website.
Image: Google Threat Analysis Group

According to TAG’s research, the app was distributed through a domain controlled by Turla and had to be installed manually from the APK app file rather than being hosted on the Google Play Store. Text on the Cyber ​​Azov website claimed the app would launch denial of service attacks on Russian websites, but TAG’s analysis showed the app was ineffective for this purpose.

Meanwhile, analysis of the APK file on VirusTotal indicates that many of the top anti-malware vendors flag it as a malicious application containing a Trojan.

TAG’s blog post suggests that the number of users who have installed the app is low. However, the Cyber ​​Azov domain was still accessible to The edge Tuesday morning, which means more Android users could be expected to download an app. A Bitcoin address listed on the website to solicit donations had not made or received any transactions at the time of publication, supporting the assessment that the malicious app has not achieved wide reach. (On the other side of the conflict, Bitcoin and other cryptocurrencies have provided a source of revenue for the Ukrainian government and military through the efforts of the Ukraine-based Kuna exchange.)

In addition to malicious Android apps, TAG also reported exploitation of the recently discovered Follina vulnerability in Microsoft Office, which allows hackers to take control of computers using maliciously crafted Word documents. The vulnerability had been used by groups linked to the Russian military (GRU) to target media organizations in Ukraine, Google researchers said.

The parody app uploaded by Turla exploits an important trend in the cyber dimension of the Russian-Ukrainian conflict, namely the involvement of a large decentralized base of digital volunteers hoping to help the Ukrainian cause. At the start of the conflict, groups linked to Anonymous won a number of victories against Russian companies by hacking and leaking sensitive data, although it is unclear what material effect this had on the course of the war. .

Throughout the invasion, Ukraine’s “IT army” made headlines by carrying out a series of denial-of-service attacks, loosely coordinated via a government-sanctioned Telegram channel – an organizational strategy that analysts have described as a revolutionary approach to cyber and information. war.


Comments are closed.