18 July 2024

Ukrainian defense companies targeted in a new wave of attacks


Ukrainian defense companies targeted in a new wave of attacks

Ukraine's Computer Emergency Response Team (CERT-UA), has warned of a new series of cyberattacks targeting Ukrainian defense enterprises. The attackers are leveraging the theme of Unmanned Aerial Vehicles (UAVs) procurement to lure their victims.

The campaign has been attributed to a threat actor CERT-UA tracks as UAC-0180. The group utilizes various types of malware and may pose as government officials to gain the trust of their targets. UAC-0180’s arsenal includes a variety of malware written in various programming languages such as C (ACROBAIT), Rust (ROSEBLOOM, ROSETHORN), Go (GLUEEGG), Lua (DROPCLUE).

The attack begins with an email containing a ZIP file attachment. This ZIP file includes a PDF document with a link, urging the recipient to follow it to “download missing fonts.”

Upon clicking the link, the victim downloads a file named “adobe_acrobat_fonts_pack.exe,” which is, in reality, malicious software known as GLUEEGG. This software decrypts and runs the loader called DROPCLUE.

DROPCLUE then downloads and opens two files on the victim's computer: a decoy PDF file and an executable file named “font-pack-pdf-windows-64-bit.” Ultimately, this executable file installs a legitimate remote management tool called ATERA. This allows the attackers to gain unauthorized access to the victim's computer.

More technical details as well as Indicators of Compromise (IoCs) related to this campaign can be found in CERT-UA’s advisory.

Back to the list

Latest Posts

UAC-0185 targets Ukrainian defense forces and defense industry sector

UAC-0185 targets Ukrainian defense forces and defense industry sector

The emails included a malicious link, clicking on which triggered the download of malware.
9 December 2024
New malware botnet Socks5Systemz powers illegal proxy service

New malware botnet Socks5Systemz powers illegal proxy service

The botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems.
9 December 2024
A new technique can bypass existing isolation mechanisms in modern browsers

A new technique can bypass existing isolation mechanisms in modern browsers

The method works across all types of browser isolation.
9 December 2024