The Computer Emergency Response Team of Ukraine (CERT-UA) and Microsoft’s threat intelligence team have warned of a new series of attacks by a Russia-linked threat actor targeting the defense sector in Ukraine and Eastern Europe.
The campaign has been attributed to Turla (aka Secret Blizzard, Krypton, UAC-0024 and UAC-0003), a cyber-espionage group believed to be working on behalf of Russia's Federal Security Service (FSB).
The first stage of the attack involves phishing emails containing Excel XLSM attachments with malicious macros that delivers the CapiBar (DeliveryCheck, Gameday) spyware onto the target system.
The malware is typically installed on compromised Microsoft Exchange servers in the form of a MOF (Managed Object Format) file turning the infected machine into a command-and-control server for the attackers.
In some cases, a “highly advanced and multi-functional backdoor” known as Kazuar is downloaded onto the compromised systems. This backdoor comes with over 40 features and is capable of collecting data, and stealing authentication information, including passwords, bookmarks, cookies, and databases from services like KeePass, Azure, Google Cloud, IBM Bleumix, and Amazon Web Services.
Earlier this year, Turla was observed piggybacking on attack infrastructure used by a decade-old malware to install its backdoors and steal useful information from targets in Ukraine.
In May, the US and partners dismantled a covert peer-to-peer (P2P) network of computers infected with “Snake” malware used by Turla to spy on the United States and its allies.
