Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Ukrainians targeted by hackers using Kursk Oblast POW photos

Ukraine has discovered the spread of a malicious email campaign using photos and information on Kursk Oblast prisoners of war (POW) to fool victims into downloading info-stealing malware.

user icon Daniel Croft
Tue, 20 Aug 2024
Ukrainians targeted by hackers using Kursk Oblast PoW photos
expand image

The nation’s CERT-UA government emergency computer response team said in a statement translated from Ukrainian that it had “received information regarding the distribution of emails on the topic of prisoners of war,” which contains a link that leads victims to download a zip file called “spysok_kursk”.

“The mentioned archive contains a CHM file ‘list of vp dropped. kursk.chm’, which, among other things, contains an HTML file ‘part.html’ containing JavaScrip code, which, in turn, ensures the launch of an obfuscated PowerShell – script,” said the CERT UA document.

When the PowerShell script is run, it downloads parts of the SPECTR malware and a software called FIRMACHAGENT.

============
============

SPECTR malware is an info-stealing program that scrapes a victim’s device for internet browser data, screenshots, documents and more by taking screenshots every 10 seconds and harvesting files and credentials, while FIRMACHAGENT is a new program that is designed to download the stolen data.

In a separate but similar statement to its telegram, CERT-UA said the campaign was conducted by the UAC-0020 (Vermin) hacking group.

The group is believed to operate on behalf of the Kremlin and has ties to the “Luhansk People’s Republic”, referring to the Ukrainian region currently occupied by Russian armed forces.

The group has previously used the SPECTR malware against Ukrainian targets, having launched attacks on the Ukrainian defence forces using spear-phishing emails.

CERT-UA recommends that individuals and organisations limit admin rights to reduce attack surface and prevent users from running PowerShell and .CHM.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.