Security News > 2023 > April > Hackers use fake ‘Windows Update’ guides to target Ukrainian govt
The Computer Emergency Response Team of Ukraine says Russian hackers are targeting various government bodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense against cyber attacks.
Instead of legitimate instructions on upgrading Windows systems, the malicious emails advise the recipients to run a PowerShell command.
This command downloads a PowerShell script on the computer, simulating a Windows updating process while downloading a second PowerShell payload in the background.
Mocky is a legitimate application that helps users generate custom HTTP responses, which APT28 abused in this case for data exfiltration.
In March 2023, Microsoft patched an Outlook zero-day vulnerability tracked as CVE-2023-23397, which APT28 has exploited since April 2022 to breach the networks of European government, military, energy, and transportation organizations.
Interestingly, Chinese hackers also used Windows updates as a lure to drop malicious executables in attacks against Russian government agencies last year.
News URL
Related news
- Belarusian-Ukrainian Hacker Extradited to U.S. for Ransomware and Cybercrime Charges (source)
- Windows driver zero-day exploited by Lazarus hackers to install rootkit (source)
- 0-day in Windows driver exploited by North Korean hackers to deliver rootkit (CVE-2024-38193) (source)
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-14 | CVE-2023-23397 | Authentication Bypass by Capture-replay vulnerability in Microsoft products Microsoft Outlook Elevation of Privilege Vulnerability | 9.8 |