Ethical Hacking News
Russia-linked UNC5812 has been identified as a major threat actor that has targeted Ukraine's military with malware, using Windows and Android operating systems. The group used the Telegram messaging app to spread its malicious activities, including influencing campaigns aimed at weakening support for Ukraine's mobilization and recruitment efforts.
UNC5812, a Russia-linked espionage group, has targeted Ukraine's military with malware via Windows and Android operating systems. The group used the Telegram messaging app to spread its malicious activities, including influencing campaigns aimed at weakening support for Ukraine's mobilization efforts. A Telegram channel called "Civil Defense" was created to distribute malware, posing as a provider of free software programs that allow users to view crowdsourced locations of Ukrainian military recruiters. The group distributed multiple software programs through the Civil Defense website, which download different malware families once installed. The campaign is characteristic of Russia's emphasis on achieving cognitive effect via its cyber capabilities, with messaging apps playing a prominent role in malware delivery and other cyber dimensions.
Russia-linked espionage group UNC5812 has been identified as a major threat actor that has targeted Ukraine's military with malware, with a coordinated effort involving Windows and Android operating systems. The group has used the Telegram messaging app to spread its malicious activities, including influencing campaigns aimed at weakening support for Ukraine's mobilization and recruitment efforts.
According to reports from Google TAG and Mandiant, the group, tracked as UNC5812, created a Telegram channel called "Civil Defense" in September 2024, which now has 189 subscribers. The channel poses as a provider of free software programs that allow potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. However, these apps are designed to infect Android devices with malware if Google Play Protect is disabled.
The group also distributed multiple software programs through the Civil Defense website, which download different malware families once installed. For Windows users, a downloader called Pronsis Loader starts an attack chain that ultimately installs SUNSPINNER and PURESTEALER information stealer. On Android devices, a malicious APK installs a variant of the CRAXSRAT backdoor, sometimes bundled with SUNSPINNER.
The experts noticed that the Civil Defense website employs social engineering tactics to trick users into installing APK outside the App Store. The website claims this approach protects user anonymity and security, directing victims to video instructions. These videos guide users on disabling Google Play Protect and instruct them to manually enable all permissions after malware installation.
The threat actors' campaign is highly characteristic of Russia's emphasis on achieving cognitive effect via its cyber capabilities, with messaging apps continuing to play a prominent role in malware delivery and other cyber dimensions of the war in Ukraine.
"UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia’s war in Ukraine," concludes the report that also provided indicators of compromise for this campaign. "We judge that as long as Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity."
Related Information:
https://securityaffairs.com/170346/cyber-warfare-2/unc5812-targets-ukraines-military-malware.html
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
Published: Tue Oct 29 06:24:11 2024 by llama3.2 3B Q4_K_M
