Phishers attack organizations helping Ukrainian refugees

image


Information security experts have warned about the frequent cyber attacks on organizations helping refugees from Ukraine. The attackers are sending phishing emails allegedly on behalf of the Security Service of Ukraine, allegedly containing an evacuation plan. In fact, the attachments are malicious and contain software for stealing personal data.

As the Slovak information security company ESET reported to Forbes, the malware is based on Microsoft Remote Utilities software for remote access to Windows PCs. The malware is completely new, but technically not complicated.

Specialists of the American information security company Proofpoint also reported the discovery of a phishing attack using an “evacuation plan” on an unnamed European government organization providing assistance to Ukrainian refugees. The phishing email was sent from a hacked email address ending in @ukr[.]net and presumably belonging to a serviceman.

The email contains a document with the SunSeed malware. The malware provides access to an infected computer and allows you to download additional malware to it, Proofpoint explained.

“It is obvious that the persons responsible for transportation, distribution of funds and budget, administration and movement of people across Europe were chosen as victims. This campaign may be an attempt to collect information about logistics related to the movement of funds, supplies and people in NATO countries,” Proofpoint experts said.

According to Catherine Woolard, head of the European Council for Refugees and Forced Emigrants, the number of phishing messages has increased significantly recently, but nothing is known about successful attacks yet.

The researchers “tentatively” attributed the attacks to the hacker group Ghostwriter (UNC1151), which some experts associate with the government of the Republic of Belarus. Although there is no technical evidence yet, the tactics and timing of attacks points to Ghostwriter.

Start a discussion …
https://www.securitylab.ru/news/530404.php