Ethical Hacking News
Russia has launched a complex hybrid espionage campaign targeting Ukrainian conscripts with sophisticated Windows and Android malware. The operation, which began on September 18, 2024, utilized a fake "Civil Defense" persona to disseminate malware through a Trojan horse app called "Sunspinner." Google implemented protections to block malicious activity, but the operation highlights Russia's continued use and extensive capabilities in the cyber-warfare space.
Russian threat group 'UNC5812' carried out a hybrid espionage/influence campaign targeting Ukrainian military recruits with Windows and Android malware. The operation, launched on September 18, 2024, used fake propaganda to spread malware through a Trojan horse app called "Sunspinner." Google blocked malicious activity but the operation highlights evolving cybersecurity threats. A Telegram channel associated with the campaign had gained 80,000 members before being discovered by Google. The malware offered data theft and real-time spying capabilities on Windows and Android devices.
Russian threat group 'UNC5812' has been involved in a hybrid espionage/influence campaign, targeting Ukrainian military recruits with sophisticated Windows and Android malware. This complex operation, which began on September 18, 2024, utilized a fake "Civil Defense" persona to disseminate malware through a Trojan horse app called "Sunspinner." The operation highlights Russia's continued use and extensive capabilities in the cyber-warfare space, emphasizing the importance of vigilance in the face of such threats.
The campaign employed distinct malware for Windows and Android devices, providing attackers with data theft and real-time spying capabilities. Google implemented protections to block malicious activity, but the operation underscores the evolving nature of modern cybersecurity threats. The "Civil Defense" persona, which was not affiliated with Ukraine's Civil Defense or any government agencies, promoted a false narrative that aimed to stir distrust and resistance among the Ukrainian population.
The Telegram channel associated with this campaign had gained 80,000 members at the time it was discovered by Google. Users who visited the fake website were directed to download the "Sunspinner" app, which appeared as a crowd-sourced mapping tool that could aid users in tracking the locations of recruiters and avoiding them. However, upon installation, the malicious application hid the malware installation process.
The malicious apps offered Windows and Android downloads, with promises of future support for iOS and macOS platforms. The Windows download installed Pronsis Loader, a malware loader that fetched additional malicious payloads from UNC5812's server. This included the commodity info-stealer "PureStealer," which targeted information stored in web browsers, including account passwords, cookies, cryptocurrency wallet details, email clients, and messaging app data.
On Android devices, the downloaded APK file dropped CraxsRAT, a commercially available backdoor that allowed attackers to track victims' locations in real-time, log keystrokes, activate audio recordings, retrieve contact lists, access SMS messages, exfiltrate files, and harvest credentials. This malware tricked users into disabling Google Play Protect, Android's built-in anti-malware tool, and manually granting it risky permissions.
In response to this operation, Google updated its Google Play protections to detect and block the Android malware early and added the domains and files associated with the campaign to its 'Safe Browsing' feature on Chrome. The complete list of indicators of compromise associated with the latest UNC5812 campaign is available for reference.
This incident serves as a reminder of Russia's continued involvement in cyber-warfare activities, emphasizing the importance of continuous monitoring and adaptation in the face of evolving threats. As such threats continue to escalate, it is crucial that individuals and organizations remain vigilant and take proactive measures to protect themselves against sophisticated malware operations like this one.
Related Information:
https://www.bleepingcomputer.com/news/security/russia-targets-ukrainian-conscripts-with-windows-android-malware/
https://thehackernews.com/2024/10/russian-espionage-group-targets.html
https://arstechnica.com/security/2024/10/kremlin-backed-hackers-have-new-windows-and-android-to-foist-on-ukrainian-foes/
Published: Mon Oct 28 15:27:43 2024 by llama3.2 3B Q4_K_M
