Researchers from cybersecurity firm Proofpoint uncovered a spear-phishing campaign, likely conducted by a nation-state actor, that compromised a Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.
The phishing messages included a weaponized attachment designed to download a Lua-based malware dubbed SunSeed. Experts found similarities between the infection chain associated with this campaign, tracked as Asylum Ambuscade, and other attacks Proofpoint observed in July 2021, a circumstance that suggests they were conducted by the same threat actor.
The campaign observed in July 2021 was linked to the Belarus-linked APT group Ghostwriter (aka TA445 or UNC1151).
The malicious macro attachment used the Emergency Meeting of the NATO Security Council held on February 23, 2022, as bait.
“Proofpoint researchers have identified a phishing campaign originating from an email address (ukr[.]net) that appears to belong to a compromised Ukranian armed service member.” reads the analysis published by ProofPoint. “This discovery comes on the heels of alerts by the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Service of Special Communications and Information Protection of Ukraine about widespread phishing campaigns targeting private email accounts of Ukrainian armed service members by ‘UNC1151’, which Proofpoint tracks as part of TA445.”
Since Russia’s invasion of Ukraine, the Ghostwriter APT group has launched, multiple attacks against the private email accounts of Ukrainian military personnel.
Unlike 2021 Ghostwriter’s campaign, attackers leveraged the compromised sender infrastructure to send out the phishing email and used MSI package as an installer for a Lua-based malware.
“This activity, independent of attribution conclusions, represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine,” concludes the report.”Additionally, the possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarussian-state techniques.”
Proofpoint also shared Indicators of Compromise (IOCs) for the Asylum Ambuscade.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Asylum Ambuscade)