26 February 2024

Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor


Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

The Government Response Team on Computer Security Incidents of Ukraine (CERT-UA) has warned of a targeted cyberattack aimed at infecting the computer systems used by the Armed Forces of Ukraine with the Cookbox backdoor.

According to CERT-UA, an unidentified individual distributed an XLS document named “1_ф_5.39-2024.xlsm” via the Signal messenger among several military personnel, claiming to have issues with report formation. The said file contained additional VBA script that triggered the download and execution of a PowerShell script named “mob2002.data.”

The PowerShell script downloaded from GitHub makes some changes in the OS registry. More specifically, it drops a base64-encoded payload in ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\XboxCache,’ which ultimately executes the Cookbox malware.

Cookbox is a PowerShell script that implements functionality for downloading and executing PowerShell cmdlets.

Dynamic DNS services (such as gotdns.ch, myftp.biz) and Cloudflare Workers are utilized for the operation of command and control servers.

The described activity, tracked as UAC-0149, has been ongoing since at least autumn 2023, CERT-UA said.

Last week, Recorded Future’s Insikt Group reported that the Russia-linked Winter Vivern cyberespionage group has been abusing an XSS vulnerability in the popular RoundCube webmail software in a cyberespionage campaign targeting government, military, and national infrastructure-related entities across Europe, including Ukraine, Poland and Georgia.

Additionally, security researchers at ESET uncovered a disinformation campaign aimed at Ukrainian speakers both within Ukraine and abroad. Dubbed “Operation Texonto,” the campaign employs a variety of tactics aimed at sowing seeds of doubt and spreading false information among the Ukrainian populace.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024