2 December 2024

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware


Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Ukraine's Computer Emergency Response Team (CERT-UA) reported a widespread phishing campaign aimed at tax professionals. The attackers sent emails with tax-related subjects and PDF attachments mimicking requests from the State Tax Service of Ukraine.

The documents contained links to file-sharing services (qaz.im, qaz.is, qaz.su). Clicking on the links triggers the download of an archive file named dps_tax_gov_ua_0739220983.rar. The file contains multiple nested archives, ultimately leading to a password-protected archive. Within this archive is an executable file disguised as a PDF document.

When executed, the file opens a decoy document while simultaneously installing an MSI package for the remote administration tool Litemanager. This tool enables attackers to gain unauthorized and covert remote access to the infected computer.

CERT-UA attributes this activity to the financially motivated group UAC-0050. Accountants using remote banking systems are particularly vulnerable, with some cases reporting fund theft within an hour of initial compromise.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025