Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Ukrainian organizations have been subjected to new hacking attempts tailored to drop malware and malicious Cobalt Strike beacons onto their networks.

On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published two advisories on the hacking incidents, suspected of being the work of threat groups APT28 — also known as Fancy Bear — and UAC-0098.

The phishing campaign, conducted by Russian advanced persistent threat (APT) APT28, sees it attempting to spread a malicious document titled, “Nuclear Terrorism A Very Real Threat” Distribution is suspected of being carried out on June 10.

UAC-0098’s hacking attempts also begins with a malicious email. The phishing messages have a malware document attached, “Imposition of penalties.docx,” and its distribution has been described as “persistent” with an original compilation date of June 16.

This document is also spread through a password-protected archive, fraudulently passed off as communication from Ukraine’s tax office, with the subject line: “Notice of non-payment of tax.”

When opened, both documents automatically download an HTML file that initiates malicious JavaScript code containing an exploit for CVE-2022-30190.

Issued a CVSS severity score of 7.8, CVE-2022-30190 is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, first emerged as a zero-day flaw in May.

If the target system has not been protected, victims of Fancy Bear’s attacks will find their systems infected with the CredoMap malware.

According to Malwarebytes, CredoMap is an information stealer able to exfiltrate browser data, cookies, and account credentials. Older variants of the malware have previously been used by APT28 against Ukrainian targets.

The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is a legitimate, commercial penetration testing tool that has, unfortunately, been abused for malicious purposes by cyberattackers for many years. The tool’s beacon functionality can facilitate remote connections and can be used for the deployment of shellcode and malware.

Since Russia’s invasion of Ukraine began, CERT-UA has pivoted its focus to warning against cyberthreats impacting both Ukrainian businesses and residents. Many campaigns are trying to take advantage of the situation, whether on behalf of the Russian state or just as run-of-the-mill attackers trying to make a profit.

The agency has previously warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and frequent misinformation schemes targeting Ukraine’s residents.

CERT-UA has also alerted Ukrainian media agencies to phishing campaigns, potentially conducted by the Russian Sandworm hacking group, intended to spread the CrescentImp malware.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0