Ukraine is facing a two-pronged cyber attack by Kremlin-backed actors as it seeks to recruit new soldiers to join its war against Russia.
Researchers from Google’s Threat Intelligence Group (TAG) and Mandiant used a spoofed version of the legitimate Ukrainian tool Civil Defense, a crowd-sourced mapping tool used to find military recruiters. tracked active campaigns. Attackers use fake versions to perform dual malicious actions: dropping malware and distributing false information.
The hybrid operation, dubbed UNC5812 by researchers, uses Telegram channels to lure new employees into downloading a malicious version of Civil Defense from a spoofed site outside of Google Play. Once downloaded, the application drops Windows and Android malware.
Russian OPP uses malware with social engineering aspects
Windows users who visited a fake Civil Defense site to download the tool were delivered Pronsis Loader, which then began a chain that distributed a malicious mapping application called Sunspinner and an information stealer called Purestealer. will be done.
Meanwhile, Android users get a popular user backdoor called Craxsrat in addition to Sunspinner.
“Notably, the Civil Defense website contains unconventional content aimed at pre-empting user skepticism about APK distribution outside the App Store and justifying the extensive permissions required to install Craxsrat. and forms of social engineering,” the report said. “The website’s FAQ includes a harsh justification that Android applications are hosted outside of the App Store, suggesting this is an effort to ‘protect the anonymity and security’ of users. and are guided through the accompanying video instructions.
This video also explains how to disable Google Play Protect.
“While the Civil Defense website also advertises support for macOS and iPhone, only Windows and Android payloads were available at the time of analysis,” the report said.
Sunspinner, a decoy graphical user interface (GUI) application created using the Flutter framework, provides functionality aimed at convincing victims that the application is legitimate.
“Consistent with the features advertised above. [legitimate] According to Google TAG analysis, civil defense website Sunspinner can display crowd-sourced markers for the locations of Ukrainian military recruits, with an option for users to add their own markers. ” But fake maps only provide fake locations. , despite having the limited functionality required for users to register and add markers, the displayed map does not appear to contain any genuine user input. all markers are present [were pulled from the attacker’s C2 and] Added by the same user on the same day. ”
In parallel with counter-mobilization operations against the Ukrainian military
In parallel with espionage, another objective of Russia’s fake civil defense campaign is the dissemination of disinformation aimed at suppressing Ukraine’s military mobilization efforts for war. Civil Defense sites and malicious versions of Telegram pushed out videos with inflammatory and anti-Ukrainian military titles such as “Unjust acts from the territorial recruitment center.” TAG Mandiant Report Added.
“Users who click on the ‘Submit Materials’ button provided by a site run by Russian hackers are automatically sent to a chat thread controlled by the attackers, ostensibly to discredit the recruitment effort,” the report said. states. The group’s website and Telegram channel appear to be informed by the broader pro-Russian social media ecosystem. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian embassy’s X account in South Africa. ”
Russia has consistently used cyber attacks. War strategy against Ukraineand other governments as well, including the recent Distributed Denial of Service (DDoS). Cyber attack campaign against Japanese loading ports. Russian hackers are also hard at work distributing Disinformation ahead of the 2024 US election. This threat group is currently considered the most active and direct supporter of military operations in Russia. Ukraine is a sandwormbut as this newly revealed “civil defense” campaign highlights, it’s just one of many hacker groups doing the Kremlin’s dirty work in cyberspace.
