The Ukrainian government’s computer emergency response team CERT-UA has recorded a new wave of cyberattacks on the country’s state institutions. Attackers are disguising malicious emails as notifications about the successful completion of courses on the popular educational platform Prometheus, trying to secretly install malicious software on victims' computers.
The Ukrainian government’s computer emergency response team CERT-UA has recorded a new wave of cyberattacks on the country’s state institutions. Attackers are disguising malicious emails as notifications about the successful completion of courses on the popular educational platform Prometheus, trying to secretly install malicious software on victims' computers.
This was reported by the State Service for Special Communications and Information Protection of Ukraine.
Hackers from the UAC-0057 group are using already compromised accounts of Ukrainian enterprises and organizations to send phishing emails. The messages come with a subject line about an allegedly generated training certificate.
The email contains a PDF document that mimics a notification from the Prometheus platform. Inside the file is a link that, when clicked, downloads a ZIP archive containing a malicious JavaScript file to the computer. Running it starts the process of infecting the system.
Experts have classified this JS file as OYSTERFRESH. Its task is to display a decoy document and write the encoded malware OYSTERBLUES to the OS registry, which collects information about the computer (username, OS version, running processes, etc.) and sends it to the management server. At the final stage of the attack, attackers can download a component of the Cobalt Strike framework to the device, which gives them the opportunity to fully control the system.
According to experts, the attackers' infrastructure is hidden behind Cloudflare, and most domain names are registered in the .icu zone. To protect against this threat, CERT-UA recommends that system administrators restrict the ability to run wscript.exe for regular user accounts.
The UAC-0057 group (also known as UNC1151) is a long-standing adversary of Ukrainian cyber experts. It is associated with the Belarusian special services, which operate in close coordination with Russian military intelligence. In the past, the group has repeatedly carried out espionage attacks on the Ukrainian public and private sectors using social engineering methods.
