The Computer Emergency Response Team of Ukraine (CERT-UA) has shared technical details and Indicators of Compromise associated with a recently observed attack on the country’s energy infrastructure facility orchestrated by a Russian military hacking unit widely known as APT28, Fancy Bear or Strontium.
In this case, the attack involved a phishing email with a malicious link leading to a ZIP archive containing three JPG images (lures) and a BAT file called “weblinks.cmd.”
Upon execution, the batch file will open several web pages serving as bait, create two “.bat” and “.vbs” files, and run a VBS file.
An analysis revealed that the threat actor used the file.io tool to download the Tor software and set up a hidden service to route the data through the network to local hosts. The attackers also used a legitimate service called webhook.site for remote command execution, as well as LOLBAS (Living Off The Land Binaries And Scripts) techniques to bypass security solutions.
The Ukrainian cyber defenders said that the attack was thwarted by an employee of the targeted organization.
Earlier this year, APT28 attempted to hack government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail servers.
