Cyber Espionage using PowerShell stealer WRECKSTEEL

April 3, 2025, 7:04 p.m.

Description

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. These links download a VBScript loader, which then launches a PowerShell script to search and upload specific file types using cURL. The malicious activity, tracked as UAC-0219, has been ongoing since fall 2024. The primary tool, classified as WRECKSTEEL, exists in both VBScript and PowerShell versions. Earlier attacks in 2024 used EXE files created with NSIS installers, containing decoy documents and the IrfanView program for screenshots. CERT-UA urges immediate reporting of any detected cyberattack signs.

External References

https://otx.alienvault.com/pulse/67eed31e2e5388397fc6bf7e
Tags
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel

Date

  • Created: April 3, 2025, 6:27 p.m.
  • Published: April 3, 2025, 6:27 p.m.
  • Modified: April 3, 2025, 7:04 p.m.

Indicators

  • f2ee357c18fb1a3d229a365023456b4ce561db62e761e427fef638ec0f371ede
  • ee8d452a1cc9bcd7e0f002a901a4ce63ddf98c0e13cba415f7325cd9cdccf0b8
  • e7fdee4fab59f8c4351e3c9e0a478803df9c7ac5f9163d13f476d9bb4abce5ee
  • d26aa72fd238c0408fd365b96d8aa9662be3d4c9d479309bef428e34831aaf42
  • cae156d492a4aa07e3d3e4b15f843308c09df7f2c8bf44d9e7093b4393e01fe1
  • c386bce3de6854bd1424467242f9cf95271de39890b5a2fb3e884e509b1b03c6
  • a3d91c4c039e50718d930cd5251e382f0f3997ec63e872539644b8c735bd4961
  • c02e57c49d940a279852109a06c19a78052dd51300975037413133c1a79e97ac
  • 9a921a344913d442430a31a3dc1d01aff2b416ca601fed68633021ffefc92fab
  • 92f961d3cb29eda1214c24c0f882f49fb9e43885f696ebec2891380e6e4ec400
  • 8acb7292c2b1163746296941977d191ef8d5fcf8bd646e4f5c4ab8718fe7b866
  • 89534f86ab5daaf55ce818872960eaa4eb64f4cc19118feea690638bf1156528
  • 84b438fac113615c2e81f440de2cafa4e2ccd74adc4867d73df30bb9d01dcdb6
  • 6089e28a711e519890b05283de1e4abb7b63aa4d09e7ab90a92f65585779fa4b
  • 566609e0e042b611c9d929cb94be4b5a17e7dbb884b4ebd2e0d68adc9fa6bf73
  • 4bdaa2e9bc6c6986981d039b29085683ed36b5c2549466101a81ad660281465c
  • 3c6c0ed1ff12b5489a6838b7a9d4ab84bb8e2b5f0b46fb093b39b0f030b5ef16
  • 2e38f3413f88b38ac5f958de12e6fec37dd53de3f8fb1644172e112346e5ede2
  • 24885b72dc3ce5cc1530fd003bcbfb108d311de1a4ce828cb7cdc2411e705337
  • 1dc1d8ccb2ca280ef9083c334432909d2a9f86eca225252a3e9a4708adc98931
  • 1235bf9c1b0d2a54e451b512ad34a81774d637ae58436416388fb3b7f901ad6e
  • 45.61.159.252
  • 91.203.63.10
  • 45.61.157.179
  • 185.212.44.87
  • 172.86.88.15
  • 172.86.88.186
  • 172.86.84.84
  • 172.86.65.194
  • 172.86.72.194
  • 172.86.122.94
  • 172.86.116.135
  • 172.86.114.149
  • 144.172.98.178
  • 143.244.46.116
  • 45.61.141.215
  • 172.86.104.17
  • 107.189.20.74
  • www.eschool-ua.online
  • http://mfashara.com/
  • http://iocreestr.tech/zakon_rada/cabinet_ministriv_postanova_1559_2024/read/
  • http://dropmefiles.top/ua/d/ebc5ka/d996e31032e7c288d7e20e7b82221c20/aefdd4d762a9657db41c23f9c4de424a
  • http://dropmefiles.cc/ua/d/pweym/db923cfd3b8b67f23a1b6dee06f1f66c/62bef3a44fd6eb0da37ffb4121c6f354
  • http://drobbox.cloud/
  • http://45.61.159.252/visa_letter.exe
  • http://45.61.157.179/upload
  • http://45.61.157.179/script.ps1'
  • http://172.86.88.186/upload
  • http://45.61.157.179/script.ps1
  • http://172.86.88.186/scripttest2.ps1
  • http://172.86.88.186/List_of_spivrobitnykiv_for_reducing_wage_10.03_PDF.pdf
  • http://172.86.88.15/upload
  • http://172.86.88.15/scripttest.ps1'
  • http://172.86.88.15/Spisok_spivrobitnykiv_na_zmenshennya_zarobitnoyi_plati_06.03_PDF.pdf
  • http://172.86.88.15/scripttest.ps1
  • http://172.86.122.94/scrxxx.ps1'
  • http://172.86.114.149:80/upload
  • http://172.86.114.149/seeddoc.exe
  • http://172.86.104.17/upload
  • http://172.86.104.17/scratest.ps1'
  • http://172.86.104.17/scratest.ps1
  • http://172.86.104.17/Zmini_v_hrafiku_roboti_spivrobitnykiv_14.04.2025_PDF.pdf
  • http://167.88.167.254:80/upload
  • http://144.172.98.178/upload
  • http://144.172.98.178/scretest.ps1'
  • http://144.172.98.178/List_of_employees_for_reduction_of_salary_20.03_PDF.pdf
  • http://144.172.98.178/scretest.ps1
  • http://107.189.20.74/screvan.ps1'
  • eschool-ua.online
  • dropmefiles.top
  • dropmefiles.cc
Download all indicators here!

Attack Patterns

  • WRECKSTEEL
  • UAC-0219
  • T1059.005
  • T1074
  • T1059.001
  • T1571
  • T1113
  • T1005
  • T1105
  • T1204
  • T1566

Additional Informations

  • Government
  • Ukraine