Ukraine’s Technical Security and Intelligence Service warns of a new wave of cyberattacks aimed at gaining access to users’ Telegram accounts.
“The criminals sent messages containing malicious links to Telegram’s website in order to gain unauthorized access to recordings, including the ability to transfer a one-time code from text messages,” the Service said. State of Special Communications and Information Protection (SSSCIP) of Ukraine. said in an alert.
The attacks, which have been attributed to a threat cluster called “UAC-0094”, stem from Telegram messages alerting recipients that a connection has been detected from a new device located in Russia and urging users to confirm their accounts by clicking on a link. .
The URL, effectively a phishing domain, prompts victims to enter their phone numbers as well as one-time passwords sent via text message which are then used by threat actors to take control of the accounts.
The modus operandi mirrors that of an earlier phishing attack that came to light in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to Ukr.net users in order to hijack Accounts.
In another social engineering campaign observed by the Ukrainian Computer Emergency Response Team (CERT-UA), war-related decoys were sent to Ukrainian government agencies to deploy spyware malware.
The emails come with an HTML file attachment (“War Criminals of the Russian Federation.htm”), opening of which results in a PowerShell-based implant being downloaded and executed on the host infected.
CERT-UA attributed the attack to Armageddon, a Russian-based threat actor linked to the Federal Security Service (FSB) that has a history of striking Ukrainian entities since at least 2013.
In February 2022, the hacking group was linked to spy attacks targeting the government, military, non-governmental organizations (NGOs), judiciary, law enforcement and non-profit organizations for the primary purpose of exfiltrating sensitive information.
Armageddon, also known by the moniker Gamaredon, also allegedly targeted Latvian government officials in a related phishing attack in late March 2022, using war-themed RAR archives to spread malware.
Other phishing campaigns documented by CERT-UA in recent weeks have deployed a variety of malware, including GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, not to mention an operation by Ghostwriter to install the post- Cobalt Strike operation.
The GrimPlant and GraphSteel attacks, associated with a threat actor called UAC-0056 (aka SaintBear, UNC2589, TA471), reportedly began in early February 2022, according to SentinelOne, which described the payloads as malicious binaries designed to perform reconnaissance, collecting credentials and executing arbitrary commands.
SaintBear is also assessed to be behind WhisperGate activity in early January 2022, impacting government agencies in Ukraine, with the actor preparing GrimPlant and GraphSteel campaign infrastructure from December 2021.
Last week, Malwarebytes Labs implicated the hacking team in a new series of attacks in late March against Ukrainian organizations, including a private television channel named ICTV, using a spear-phishing lure that contained embedded Excel documents. to the macro, leading to the GrimPlant (aka Elephant Implant) backdoor distribution.
The disclosure comes as several Advanced Persistent Threat (APT) groups from Iran, China, North Korea and Russia have capitalized on the ongoing Russian-Ukrainian war as a pretext to create backdoor victim networks and organize other malicious activities.