Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of a new wave of phishing attacks that target Ukrainian state railway and government agencies in order to infect systems with the DolphinCape malware.
The attack involves phishing emails with a malicious attachment ostensibly sent by Ukraine’s State Emergency Service with recommendations on how to identify Iranian-made Shahed-136 kamikaze drones that Russia is continually using to attack crucial energy infrastructure in Ukraine. As of December, the terrorist state has damaged nearly 50% of Ukraine’s energy infrastructure, including all thermal and hydroelectric power plants.
The attachment contains a RAR archive named “shahed-136.rar” with a VBScript script that executes and runs a PowerShell script. This PowerShell script then downloads a couple of executable files called “WibuCm32.dll”, “CodeMeter.exe” (a legitimate file) using the DLL Side-Loading technique.
WibuCm32.dll is the DolphinCape malware, which collects information about the compromised computer, including hostname, username, bitrate, and OS version, runs executable files, extracts other data, and takes screenshots of the targeted device.
The indicators of compromise related to this malicious activity, which CERT-UA is tracking as UAC-0140, are available in the team’s security advisory.