ALL YOUR IT. SIMPLIFIED.
IT Managed Services | VOIP Phones | Cloud Cameras
Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
This blog is to provide insight and context on a sampling of malicious activity targeting Ukrainian entities during the ongoing war. We are highlighting UNC1151 and suspected UNC2589 operations leveraging phishing with malicious documents leading to malware infection chains.
UNC1151 is an APT that's been active since at least 2009.
"By launching spear phishing attacks against Ukrainian government entities, they were able to obtain sensitive documents related to fighting the war in Eastern Ukraine."
Alternatively, it appears that several malicious document campaigns were facilitated by a separate group of entities, but that group's activity was limited to spear phishing.
In one case, the threat actor registered a domain that was similar to one of the targeted entities: http://courier-ua.com (note the ua suffix).
Done document that could be downloaded from this campaign was called "ukraine_opinion.pdf".
As a result of downloading and executing the backdoored document, the user was presented with a notice to launch Windows Explorer. After the user launched Windows Explorer, a backdoor named "RADISH" was installed.
