APT28 Employs Windows Update Lures to Trick Ukrainian Targets
The phishing emails were sent using names of system administrators and a letter containing instructions to protect against hackers.
The Russia-linked APT28 hacking group targeted Ukrainian government bodies in a spear-phishing campaign that uses phony "Windows Update" guides.
In April, CERT-UA observed malicious emails being sent on Microsoft Outlook from what appeared to be system administrators at government bodies — with a subject line that read "Windows Update." The emails sought to trick the recipients into "launching a command line and executing a PowerShell command."
Operating out of military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU), the APT28 group has been known to be active since 2007 and has targeted a variety of operations globally, including governments, security organizations, militaries, and the 2016 US presidential election.
"The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute the following PowerShell script designed to collect basic information about the computer using the 'tasklist', 'systeminfo' commands, and send the received results using HTTP request to the Mocky service API," the CERT-UA alert stated.
Going forward, CERT-UA recommends that organizations placing restrictions on PowerShell use and monitor network connections to the Mocky service API. The NCSC, NSA, CISA, and FBI was also released a joint advisory with information on tactics, techniques, and procedures (TTPs) connected with APT28's attacks.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024