The Russian hacking group Gamaredon is carrying out phishing attacks on Ukrainian organizations, using decoys related to troop movements to spread the Remcos RAT remote access trojan.
The Russian hacking group Gamaredon is carrying out phishing attacks on Ukrainian organizations, using decoys related to troop movements to spread the Remcos RAT remote access trojan.
Cisco Talos researchers have discovered that attackers are sending ZIP archives with LNK files disguised as Microsoft Office documents, which when opened run PowerShell scripts to download malware from servers in Russia and Germany.
First, hackers use LNK files containing PowerShell code to download and execute the next stages of the attack. The second stage involves downloading a ZIP archive with a malicious DLL library, which, through the DLL side-loading technique, launches the Remcos RAT, which gives hackers remote access to infected systems.
| Names of infected files |
| 3079807576 (Shashylo O.V)/SHASHYLO Oleksandr Vitaliyovych.docx.lnk |
3151721177 (Rybak S. V)/RYBAK Stanislav Viktorovych.docx.lnk |
3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovych.docx.lnk |
3710407173 (Gur'ev P.A)/GUR'EV Pavel Andriyovych.docx.lnk |
Probable location of communication nodes, EW installations and enemy UAV units. SOUTH OF THE RED ARMY.docx.lnk |
GUR'EV Pavlo Andriyovych.docx.lnk |
Coordinates of enemy takeoffs in 8 days (Krasnoarmeysk).xlsx.lnk |
Enemy positions west and south-west.xlsx.lnk |
FISHERMAN Stanislav Viktorovich.docx.lnk |
SHASHYLO Oleksandr Vitaliyovych.docx.lnk |
The virus distribution campaign consists of four large phishing clusters that impersonate the US Central Intelligence Agency, the Russian Volunteer Corps, the Legion of Freedom, and Hochu Zhit, a hotline for receiving appeals from Russian servicemen in Ukraine requesting to surrender to the Armed Forces of Ukraine.
Attackers use Google Forms and email responses to collect personal information about victims, including their political views, unhealthy habits, and physical fitness.
Gamaredon, also known as UAC-0010 and Armageddon, has been active since at least 2013 and is associated with the Russian Federal Security Service (FSB). The group specializes in cyber espionage and data theft, focusing its attacks primarily on Ukrainian government institutions. Previously, a service called Tryzub was created in Ukraine to simulate the behavior of Armageddon and Sandworm hackers for further study.
Ukraine is constantly suffering from cyberattacks from the enemy, and the case with Ukrzaliznytsia is a good illustration that the enemy is investing considerable resources to undermine the digital infrastructure. We recall that we previously spoke with the Director General of the National Cybersecurity Directorate of Romania about the current state of European cybersecurity.
