24 May 2023

Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign


Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign

Ukraine's computer emergency response team (CERT-UA) has spotted a cyber-espionage operation targeting an unnamed state entity in Ukraine.

Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. CERT-UA, which has been tracking UAC-0063 since 2021, said that the group’s goal is cyber-espionage. The origins of this threat actor is currently unclear.

The observed campaign involved phishing emails purported to be from the Embassy of Tajikistan in Ukraine, likely sent from a previously compromised email account.

The malicious emails contained weaponized DOCX files documents designed to trigger the download of several malware tools, including:

  • Logpie - a keylogger that captures and logs every keystroke, including passwords, usernames, messages, and other sensitive information entered by the user

  • Cherryspy - a backdoor that executes Python code received from a management server

  • Stillarch - malware used to find and exfiltrate files, including data from the Logpie keylogger

To make forensic analysis more difficult the threat actor used PyArmor (a tool designed for obfuscating Python scripts) and Themida (a packer to protect applications against reverse engineering).

To minimize the attack surface organizations are advised to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter.


Back to the list

Latest Posts

Free VPN provider SuperVPN exposes 360 million user records

Free VPN provider SuperVPN exposes 360 million user records

In total, 133GB of sensitive data including user email addresses, original IP addresses, and geolocation information is said to have been exposed in the leak.
29 May 2023
Cyber security week in review: May 26, 2023

Cyber security week in review: May 26, 2023

The world in brief: New ICS malware discovered, hacktivists expose Russian hacker wanted in the US, Pegasus spyware found in Armenia and Azerbaijan, and more.
26 May 2023
Barracuda’s email gateway appliances breached via zero-day bug

Barracuda’s email gateway appliances breached via zero-day bug

The vulnerability resided in a module which initially screens the attachments of incoming emails.
25 May 2023