A threat actor, tracked as UAC-0149, is targeting the Ukrainian Defense Forces with malicious software disseminated through the Signal messaging app.
The phishing message is disguised as a request for documents to fill a position in the UN Department of Peacekeeping Operations. The malicious message contained a file named "Support.rar," which harbored an exploit targeting a vulnerability in WinRAR software (CVE-2023-38831).
Upon successful exploitation, a CMD file named "support.pdf.cmd" will be executed, which will trigger the opening of a decoy document labeled "DPO_SEC23-1_OMA_P-3_16-ENG.pdf" and downloading and executing the "COOKBOX"malware.
It's worth noting that the COOKBOX command-and-control server utilizes the dynamic DNS service NoIP.
Additionally, the Ukrainian CERT-UA team has warned of a separate campaign involving WhatsApp. Unknown actors are disseminating messages urging recipients to vote in an electronic petition for the conferment of the title "Hero of Ukraine." These messages contain links to a website mimicking the official Electronic Petitions platform.
Upon clicking the link, victims are prompted to enter their mobile phone number, receive a generated code, and use it to add a third-party device to their WhatsApp account settings. Concurrently, the perpetrators distribute instructional videos detailing the steps to be taken.
As of April 20, 2024, CERT-UA identified 18 domain names associated with these malicious activities.