Russia-linked APT28 uses fake Windows Update instructions to target Ukraine govt bodies

CERT-UA warns of a spear-phishing campaign conducted by APT28 group targeting Ukrainian government bodies with fake ‘Windows Update’ guides.

Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides, Computer Emergency Response Team of Ukraine (CERT-UA) warns.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

CERT-UA observed the campaign in April 2023, the malicious e-mails with the subject “Windows Update” were crafted to appear as sent by system administrators of departments of multiple government bodies. The threat actors sent the messages from e-mail addresses created on the public service “@outlook.com.”

“During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases of the distribution of e-mails with the subject “Windows Update” among government bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service “@outlook.com” can be formed using the employee’s real surname and initials.” reads the alert published by CERT-UA. “The sample letter contains “instructions” in Ukrainian for “updates to protect against hacker attacks”, as well as graphical images of the process of launching a command line and executing a PowerShell command.”

The attackers used @outlook.com email addresses using real employee names that were previously obtained in a reconnaissance phase.

The content of the messages attempts to trick recipients into launching a command line and executing a PowerShell command.

Upon executing the command, it downloads a PowerShell script on the computer that simulates a Windows updating process while downloading another PowerShell script in the background.

This second-stage payload abuses the ‘tasklist’ and ‘systeminfo’ commands to gather system information and send them to a Mocky service API via an HTTP request.

“The mentioned command will download a PowerShell script that, simulating the process of updating the operating system, will download and execute the following PowerShell script designed to collect basic information about the computer using the “tasklist”, “systeminfo” commands, and send the received results using HTTP request to the Mocky service API.” continues the alert.

The CERT-UA recommends restricting the ability of users to launch PowerShell and monitor network connections to the Mocky service API.

CERT-UA also provided Indicators of Compromise for this campaign.

Recently, UK and US agencies are warned of the APT28 group exploiting vulnerabilities in Cisco networking equipment.

The Russia-linked APT group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability (CVSS score: 8.8), states a joint report published by the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI).

The joint advisory provides detailed info on tactics, techniques, and procedures (TTPs) associated with APT28’s attacks conducted in 2021 that exploited the flaw in Cisco routers.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)