A report by CERT-UA has revealed that attackers compromised an email account belonging to the Ukrainian Ministry of Defense. The account was used to send phishing emails and instant messages, in an attempt to target Ukraine's DELTA military system.
DELTA users under attack
After compromising the email account, the attackers tracked as UAC-0142 sent phishing emails to DELTA users (a situational awareness program).
The aim was to infect systems with information stealers FateGrab and StealDeal.
To achieve this, the attackers used emails and instant messages with fake links wherein they asked users to update DELTA certificates to securely continue using the system.
Attackers further used PDF documents as attachments, imitating legitimate documents from the ISTAR unit of the Zaporizhzhia Police Department, however, carried a link to a malicious ZIP archive.
Infection process
The malicious email included a PDF document allegedly carrying the certificate installation details, along with links to download a ZIP archive titled certificates_rootCA[.]zip.
The archive included a digitally signed executable certificates_rootCA[.]exe. This file creates various DLL files on the system and launches ais[.]exe to simulate the certificate installation process.
Further, dropped DLLs (FileInfo[.]dll and procsys[.]dll) were identified by CERT-UA as StealDeal (stealer that steals internet browsing data) and FateGrab (FTP file stealer that targets documents/emails).
Both the EXE files and the DLLs were protected by VMProtect, a genuine software used for wrapping files in standalone VMs, encrypting content, and making AV detection/analysis challenging.
Upon execution, StealDeal and FateGrab malware would steal Internet browser data and passwords stored on the local browser.
Conclusion
The recent attack on the situational awareness program shows attackers' interest in the military establishment of Ukraine. There could be more attacks launched by the same attackers in the near future. Therefore, the Ukrainian agencies should follow the CERT-UA for more information and stay safe.