The researchers of Check Point Research have generated a report regarding the ongoing spear-phishing campaigns. According to the report, there are at least three different advanced persistent groups that use the ongoing war between Russia and Ukraine for their campaigns. Those groups are claimed to be state-sponsored and all of them are targeting different regions.
All groups have their own targets
One of the groups, El Machete, is originated from a Spanish-speaking country. It targets Nicaragua’s and Venezuela’s financial and governmental systems. Lyceum is originated from Iran and it targets the energy industries of Israel and Saudi Arabia. SideWinder is believed to be originating from India and it targets entities in Pakistan.
While El Machete and Lyceum utilize war-related e-mails for their phishing campaigns, SideWinder uses a document with a malicious payload for its further actions. El Machete’s e-mails come with a Word document titled “Dark plans of the neo-Nazi regime in Ukraine” which contains an actual article by Alexander Khokholikov, the Russian Ambassador to Nicaragua. This document contains a malicious macro that delivers a bas64-encoded file “~djXsfwEFYETE.txt” file. After decoding the file into a .exe file by utilizing built-in certutil.exe, it follows the diagram below:
Exe file with PDF file icon
The Iranian APT, Lyceum, sends e-mails from inews-reporter [at] protonmail.com e-mail address with “Russian war crimes in Ukraine” subject; including pictures from public media sources. It also includes a link to news-spot [dot] com domain. The link opens a document that contains an article from The Guardian, with the title “Researchers gather evidence of possible Russian war crimes in Ukraine”. It contains a macro that runs after closing the document. The macro puts an executable file into the Windows Startup directory, which means it will run every time the system boots. They use the PDF file icon for some of their executables as well.
SideWinder APT, which is believed to be originating in India, uses a document titled “Focused talk on Russian Ukraine conflict impact on Pakistan” which retrieves a remote template from an actor-controlled server. The external file is in RTF type, which exploits the CVE-2017-11882 vulnerability. Then it drops and executes the payload.
Users should be careful about the popular topics, which is currently the war between Russia and Ukraine. It is crucial to be careful with those topics since a lot of malicious actors and groups try to abuse them.