US cyber command discovered 20 new strains of malware among the numerous software and cyberattacks used against Ukrainian targets over the last few months.
The Pentagon’s cyberspace wing made public indicators of compromise(IOC) associated with various malware strains found in Ukrainian networks by the country’s security service, in an alert last week.
A statement from US cyber command center this week Wednesday started, ” our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them”.
The Feds alerted cones as multiple private security researchers this week issued their threat research related to the Russian invasion.
The report further stated that Cisco Talos’ security researchers in March discovered a “fairly uncommon” type of malware targeting a “large software development company” whose software several Ukrainian state organizations use.
Ukraine Fell for Phish Bait
Mandiant’s latest research on state-sponsored cyberspies provides threat intel on two criminal groups, the first of which it tracks as UNC1151, and links to the Belarusian government, but with the caveat: “We cannot rule out Russian contributions to either UNC1151 or Ghostwriter activities.” This gang also provides technical support to the pro-Russian Ghostwriter group for its information operations campaigns.
Since the war began, UNC1151 has targeted Ukrainian and Polish organizations, its most recent attempts use a modified version of MicroBackdoor and a lure that translates to: “What to do? During artillery shelling by volley fire systems” to spy on victims in Ukraine.
Using a compromised Ukrainian account, UNC1151 sent out these phishing emails with a ZIP file attached that contained the malicious payload. After tricking victims into opening the file, the victim’s computer downloads the backdoor malware, which can upload and download files, execute commands, update itself, and take screenshots.
“We believe UNC2589 acts in support of Russian government goals, but have not uncovered evidence to link it conclusively, “We believe UNC2589 may be capable of engaging in disruptive or destructive cyber operations in the future.”
