Ukraine's Computer Emergency Response Team (CERT-UA) reported a widespread phishing campaign aimed at tax professionals. The attackers sent emails with tax-related subjects and PDF attachments mimicking requests from the State Tax Service of Ukraine.
The documents contained links to file-sharing services (qaz.im, qaz.is, qaz.su). Clicking on the links triggers the download of an archive file named dps_tax_gov_ua_0739220983.rar. The file contains multiple nested archives, ultimately leading to a password-protected archive. Within this archive is an executable file disguised as a PDF document.
When executed, the file opens a decoy document while simultaneously installing an MSI package for the remote administration tool Litemanager. This tool enables attackers to gain unauthorized and covert remote access to the infected computer.
CERT-UA attributes this activity to the financially motivated group UAC-0050. Accountants using remote banking systems are particularly vulnerable, with some cases reporting fund theft within an hour of initial compromise.