30 October 2024

Large-scale phishing campaign targeting Ukraine's taxpayers


Large-scale phishing campaign targeting Ukraine's taxpayers

Ukraine's Government Computer Emergency Response Team (CERT-UA) is warning of a widespread phishing campaign involving emails with tax-related subjects, containing attachments disguised as official requests from the State Tax Service of Ukraine. This malicious campaign is financially motivated and is attributed to a threat group tracked as UAC-0050, targeting enterprise accountants who handle remote banking systems.

The phishing emails feature attached PDF documents linked to file-hosting services (such as qaz.im, qaz.is, and qaz.su). When users click these links, a file named “dps_tax_gov_ua_0739220983.rar” is downloaded onto their computer. The archive contains a password-protected file with a malicious self-extracting executable.

Once launched, this executable displays a decoy document to distract the user while silently installing an MSI package that deploys the Litemanager remote management tool. Litemanager provides unauthorized access to the infected computer, enabling attackers to control the device and potentially access sensitive financial information.

The main targets of this cyber-attack are accountants with access to corporate remote banking systems. CERT-UA has noted that, based on forensic analyses, attackers can often escalate to direct financial theft in under an hour from the initial compromise.


Back to the list

Latest Posts

Cyber Security Week in Review: November 8, 2024

Cyber Security Week in Review: November 8, 2024

In brief: PAN Expedition bug exploited in the wild, 22,000+ servers and IPs linked to cybercrime disrupted, and more.
8 November 2024
Germany proposes new law to protect security researchers and toughen penalties for cybercrime

Germany proposes new law to protect security researchers and toughen penalties for cybercrime

The draft law also imposes harsher penalties for severe cases of spying on or intercepting data.
7 November 2024
North Korean hackers target crypto firms with new macOS malware in Hidden Risk campaign

North Korean hackers target crypto firms with new macOS malware in Hidden Risk campaign

The campaign involves a multi-stage malware that infects Apple macOS devices.
7 November 2024