13 August 2024

Over 100 Ukraine’s govt PCs infected with malware in new UAC-0198 campaign


Over 100 Ukraine’s govt PCs infected with malware in new UAC-0198 campaign

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign that is impersonating the Security Service of Ukraine (SSU) to infect computer systems with malware.

According to the agency, the threat actor, which it tracks as UAC-0198, has managed to infect more than 100 computer in Ukrainian government agencies’ networks with the AnonVNC malware.

The attackers used emails that appeared to be from the SSU, luring victims to click on a malicious link. Upon clicking, an MSI file named "Scan_docs#40562153.msi" was downloaded onto the victim computer.

When executed, this file deployed the AnonVNC (MESHAGENT) malware, granting the attackers unauthorized access to the compromised systems.

CERT-UA noted that some of the malware samples were signed using a code signing certificate from a company named Shenzhen Variable Engine E-commerce Co Ltd, which suggests the potential involvement of Chinese entities or the misuse of their credentials.

The AnonVNC malware contains a configuration file similar to that of MESHAGENT, an open-source software available on GitHub. CERT-UA said it is temporarily referring to the malware as AnonVNC, with a nod to its origins in MESHAGENT.

The agency said that the attacks have been ongoing since at least July 2024 and may have a broader geographical scope. Evidence suggests that the campaign extends beyond Ukraine, with over a thousand EXE and MSI files related to the attack campaign being uploaded to the file-sharing service pCloud since August 1, 2024.


Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024