Security News > 2022 > September > Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware
A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The attacks are said to be an expansion of the same campaign that previously distributed DCRat using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.
Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks.
The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.
"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," Recorded Future said.
HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.
News URL
https://thehackernews.com/2022/09/russian-sandworm-hackers-impersonate.html
Related news
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users (source)
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- Ukrainian pleads guilty to operating Raccoon Stealer malware (source)
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)