Ukraine Issues Alert Over Mass Phishing Campaign Aimed at Stealing Citizens' Data
Ukrainian authorities warn of a mass phishing campaign led by group UAC-0218 aimed at stealing sensitive personal data from citizens. This ongoing campaign involves deceptive emails that link to malware downloads which search and exfiltrate various document formats from victims' devices. The Computer Emergency Response Team of Ukraine CERT-UA has highlighted the urgency of the situation urging citizens to remain vigilant against such threats. The campaign's infrastructure features a web server and domain registration tactics aimed at facilitating data theft.
Ukraine Issues Alert Over Mass Phishing Campaign Aimed at Stealing Citizens' Data
Ukrainian authorities have issued a warning regarding a widespread phishing campaign targeting the personal data of citizens. This campaign is linked to a group identified as UAC-0218 which has been deploying phishing tactics since at least August 2024. The attackers are sending out emails disguised as bills or payment notifications that contain links leading to the download of malicious software designed to steal sensitive information.
Upon downloading the malware victims unknowingly install a script that systematically searches their devices for various document formats. This script then transmits the stolen files to the attackers' servers allowing them to access potentially sensitive personal and financial information which could be exploited for theft or blackmail.
The phishing emails typically carry the subject line “account details” and feature links purportedly pointing to an eDisk file from which victims are encouraged to download RAR archives. Inside these archives are two password-protected decoy documents named "Договір20102024.doc" and "Рахунок20102024.xlsx" along with a VBS script labeled “Password.vbe.”
When executed the VBS script initiates a recursive search across five specified directories in the user’s profile folder for files of various types including Excel documents and PDF files. Any files found under 10MB in size are then exfiltrated to the attackers' server using the HTTP PUT method which facilitates the creation of new resources or the replacement of existing resources on a web server.
In addition to the VBS script the CERT-UA analysis revealed an executable file present on victims’ devices containing a one-line PowerShell command. This command functions similarly to the VBS script by performing a recursive search in the %USERPROFILE% directory for files with specific extensions and subsequently transferring them to the attackers' management server via the HTTP POST method.
The CERT-UA has also highlighted aspects of the attackers' infrastructure indicating the use of the HostZealot domain name registrar and a web server receiver implemented in Python.
In a related warning issued in August 2024 CERT-UA disclosed that over 100 Ukrainian government computers had been compromised in a previous phishing attack. In that incident attackers masqueraded as the Security Service of Ukraine to entice targets into clicking on malicious links that led to the download of ANONVNC malware.
Ukrainian authorities continue to monitor this situation closely urging citizens to exercise caution and remain vigilant against potential phishing attempts that could compromise their personal data.
Click Here to Visit
What's Your Reaction?
