Crooks target Ukraine’s IT Army with a tainted DDoS tool

Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army.

Cisco Talos researchers have uncovered a malware campaign targeting Ukraine’s IT Army, threat actors are using infostealer malware mimicking a DDoS tool called the “Liberator.” The Liberator tool is circulating among pro-Ukraina hackers that use it to target Russian propaganda websites.

After Russia started invading Ukraine, the Ukrainian Minister for Digital Transformation Mykhaylo Fedorov called to action against Russia attempting to create an “IT Army,” composed of volunteers, to launch a massive offensive against Russia. A Telegram channel was used to coordinate the efforts and plan the cyber-attacks that will be conducted by the IT Army.

“Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.” reads the analysis published by Talos. “In one such instance, we observed a threat actor offering a distributed denial-of-service (DDoS) tool on Telegram intended to be used against Russian websites. The downloaded file is actually an information stealer that infects the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.”

Now the tainted Liberator tool was advertised on Telegram, the original version of the tool was developed by a group called disBalancer. Liberator is advertised as a DDoS tool to launch attacks against “Russian propaganda websites.”

The tool was developed to allow not technical people to easily launch an attack against a list of Russian sites fetched from a server. 

The campaign uses a dropper disguised as the Disbalancer.exe tool which is protected with the ASProtect packer for Windows executables.

Once the malware is dropped on the victims’ systems, it performs anti-debug checks, then it follows a process injection step to load the Phoenix information stealer in memory.

“If a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework. In this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.” continues the report.

The variant employed in the attack against the IT Army is able to steal a broad range of data, including web browser data, VPN tools, Discord, Steam, and cryptocurrency wallets. The collected data is sent to a remote IP address (95[.]142[.]46[.]35) on port 6666.

Talos experts believe this is an opportunistic campaign, the same IP address is has been distributing Phoenix since November 2021.

“Cisco Talos constantly observes actors using any and all means to get their malware installed on systems, and the war in Ukraine is no exception. In this case, we found some cybercriminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.” concludes the report. “We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IT Army)

[adrotate banner=”5″]

[adrotate banner=”13″]