Share this article on:
Ukraine has discovered the spread of a malicious email campaign using photos and information on Kursk Oblast prisoners of war (POW) to fool victims into downloading info-stealing malware.
The nation’s CERT-UA government emergency computer response team said in a statement translated from Ukrainian that it had “received information regarding the distribution of emails on the topic of prisoners of war,” which contains a link that leads victims to download a zip file called “spysok_kursk”.
“The mentioned archive contains a CHM file ‘list of vp dropped. kursk.chm’, which, among other things, contains an HTML file ‘part.html’ containing JavaScrip code, which, in turn, ensures the launch of an obfuscated PowerShell – script,” said the CERT UA document.
When the PowerShell script is run, it downloads parts of the SPECTR malware and a software called FIRMACHAGENT.
SPECTR malware is an info-stealing program that scrapes a victim’s device for internet browser data, screenshots, documents and more by taking screenshots every 10 seconds and harvesting files and credentials, while FIRMACHAGENT is a new program that is designed to download the stolen data.
In a separate but similar statement to its telegram, CERT-UA said the campaign was conducted by the UAC-0020 (Vermin) hacking group.
The group is believed to operate on behalf of the Kremlin and has ties to the “Luhansk People’s Republic”, referring to the Ukrainian region currently occupied by Russian armed forces.
The group has previously used the SPECTR malware against Ukrainian targets, having launched attacks on the Ukrainian defence forces using spear-phishing emails.
CERT-UA recommends that individuals and organisations limit admin rights to reduce attack surface and prevent users from running PowerShell and .CHM.