17 May 2022

German users seeking info about Ukraine crisis targeted with custom PowerShell RAT


German users seeking info about Ukraine crisis targeted with custom PowerShell RAT

Cybersecurity researchers at Malwarebytes Labs have discovered a new malicious campaign that is targeting internet users in Germany, which are seeking updates about the current situation in Ukraine, with a fake documents delivering a custom version of the PowerShell remote access trojan (RAT). This RAT is capable of stealing data and executing other malicious commands on a victim’s computer.

The threat actor uses a decoy website, which looks like the official Baden-Württemberg website (which the threat actor registered when the domain has expired) to lure victims into downloading a file named "2022-Q2-Bedrohungslage-Ukraine," ostensibly containing "important information and tips for dealing with the current threat posed by the Ukraine crisis."

The downloaded ZIP archive contains a CHM file consisting of several compiled HTML files, which, when opened, display a fake error message, while PowerShell quietly runs a Base64 command designed to execute a script downloaded from the fake Baden-Württemberg website.

This script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt, which is the custom PowerShell RAT. The malware collects information about the victim’s computer, such as the current username, working directory, and the computer’s hostname, and builds a unique id for the victim. The collected data in then sent to a German website to avoid suspicion.

While the researchers have not been able to attribute this campaign to any specific threat actor, they have allowed for the possibility that a Russian actor may be behind it.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022