Report on Ukraine government attack campaign

Aug. 23, 2024, 9:02 a.m.

Description

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat.

External References

https://otx.alienvault.com/pulse/66c84eca6298cd5a4bb0ec77
Tags
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent

Date

  • Created: Aug. 23, 2024, 8:56 a.m.
  • Published: Aug. 23, 2024, 8:56 a.m.
  • Modified: Aug. 23, 2024, 9:02 a.m.

Indicators

  • f94b8d2391b53dfb96035a2ba628224c3bfedf77021c896b64a0d7c8f2121e17
  • f00c85d9db7a2a2bf248771b8d81d978fa6d2153e6a3095d9c5896b604e9d00d
  • eef9f73dc7e0cdd4b1780ecd20845496a91e0f1c096264208d991935c5e97308
  • ea1945d887cbe8a56234cec6da2c46ed7a28ae6a69fd49181b3d13a71943ffd9
  • d44ff1bd3c7ff81228548c82ea68c33bdea780772ce55dc4be2d4156985a326a
  • d16239cfbee14a8621637934aebe2d5253fea04940d2eb082bd8dcdc41111d4b
  • b95ef984bfb22c55881931b134deaf1b848fbfda4180fc393b9f532f51089cbb
  • ad30e29ba883c3f528d2782dbc3d1b5258815b619c6dfc3639fee416cf27fb1f
  • 8d4808ed167ac91724e8ab4da24bcc3bd2159a4972c212a1cd4062f02a3731d0
  • 8987952745a8d46a8f2e6d1666cc9c542b6a9a96787ef467c76b779a8b6c1a66
  • 8612668466f9c8a180e0e9a3c92c85a03788f2f0bb3c6bf70f52c356e02702db
  • 6a18392e3e062ce0fcd4688c0b09e482855cf709eb178437d8fe2cdc9cfdf51f
  • 68fe595237eec1261184a5f3a00cc0f678a33751615796942001997575887557
  • 3e6c13f9e4cee9b8d55d7a83fd3c3d5d6d09b6c477c4f84fd79db6cc8de7ea42
  • 4d8918cfcc97ca63666937e5d53373793f3695a2b1177e27a78aa34303c2ee80
  • 21c33c8365218b7fb1bbb0d45af77926877fb33384ef58fbbb6db04b9df55eb6
  • 087158ad28080ef438047b88896dfa1962d1cd6fed8fce06e35c25f91ad5f1ff
  • 180f9a2d3de0b5f031408797286837bb4b10b2a6d8797cf985347f5d80f9e4a0
  • 91.225.219.185
  • 171.22.120.50
  • http://ukraero.space/jobs/upload
  • http://ukraero.space/jobs/download
  • http://prozorro.online/info/docx/recon
  • http://prozorro.online/data/spysok_kursk.zip
  • http://171.22.120.50/data/chrome_updater.txt
  • http://171.22.120.50/data/USB.txt
  • http://171.22.120.50/data/Social.txt
  • http://171.22.120.50/data/Screen.txt
  • http://171.22.120.50/data/IDCLIPNET_x86.txt
  • http://171.22.120.50/data/Files.txt
  • http://171.22.120.50/data/Browser.txt
  • ukraero.space
  • prozorro.online
Download all indicators here!

Attack Patterns

  • FIRMACHAGENT
  • SPECTR
  • Unknown

Additional Informations

  • Ukraine