Free Phone Consultation For New Clients | CONTACT NOW

Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities

This blog is to provide insight and context on a sampling of malicious activity targeting Ukrainian entities during the ongoing war. We are highlighting UNC1151 and suspected UNC2589 operations leveraging phishing with malicious documents leading to malware infection chains.

UNC1151 is an APT that's been active since at least 2009.

"By launching spear phishing attacks against Ukrainian government entities, they were able to obtain sensitive documents related to fighting the war in Eastern Ukraine."

Alternatively, it appears that several malicious document campaigns were facilitated by a separate group of entities, but that group's activity was limited to spear phishing.

In one case, the threat actor registered a domain that was similar to one of the targeted entities: http://courier-ua.com (note the ua suffix).

Done document that could be downloaded from this campaign was called "ukraine_opinion.pdf".

As a result of downloading and executing the backdoored document, the user was presented with a notice to launch Windows Explorer. After the user launched Windows Explorer, a backdoor named "RADISH" was installed.

Source: Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?