Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a security alert informing that hackers are targeting users of the Delta military intel system with FateGrab and StealDeal malware.
Developed by the Center for Innovation and Development of Defense Technologies of the Ministry of Defense of Ukraine, Delta is a situational awareness program (first presented in October 2022), which provides the military with various data about the enemy and coordination of forces on the battlefield. Delta is used for planning operations and combat missions, coordination with other units, secure exchange of information on the location of enemy forces, etc.
According to CERT-UA, the malware is being spread via emails sent from a compromised email address of one of the Ministry of Defense’s employees, and messaging platforms. The malicious message contains a warning that the certificate for the Delta system must be updated, as well as a PDF document with a link on a malicious ZIP archive.
After the victim clicks on the link, an archive named “certificates_rootca.zip” is downloaded on the system, which contains an executable file named “certificates_rootCA.exe” protected using the VMProtect tool.
VMProtect is a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult. Multiple reports indicate that VMProtect has been used to obfuscate malicious software.
Once the executable file is run, several DLL files are created, including a file called “ais.exe,” which simulates certificate installation process that leads to the installation of the FateGrab and StealDeal information stealing malware.
CERT-UA is tracking this activity as UAC-0142.
Last week, the agency warned of a new wave of phishing attacks that target Ukrainian state railway and government agencies in order to infect systems with the DolphinCape malware. Google-owned cybersecurity firm Mandiant has also warned that a threat actor it tracks as UNC4166, has used trojanized versions of the Windows 10 OS installer spread via Ukrainian and Russian language torrent websites to infect local government entities with malware capable of collecting data from compromised computers, download additional malicious tools, and exfiltrating stolen data to attacker-controlled servers.