Ukraine's Government Computer Emergency Response Team (CERT-UA) has detected a series of cyberattacks leveraging the sensitive topic of prisoners of war (POWs) captured during Ukraine’s incursion into Russia’s Kursk region. The attacks are being carried out through emails that contain photographs purportedly showing POWs and include a link to download an archive file.
Opening the file from this archive leads to the installation of a spyware program named SPECTR and a new data exfiltration tool called FIRMACHAGENT on the victim's computer. The archive in question contains a CHM file, which includes an HTML file ("part.html") that contains JavaScript code. The code executes an obfuscated PowerShell script designed to deploy various malicious components on the compromised system.
The PowerShell script is specifically designed to download the SPECTR malware, which is capable of stealing documents, screenshots, and browser data, among other sensitive information. Additionally, it installs the FIRMACHAGENT program ("chrome_updater.dll"), whose primary function is to upload the stolen data to a command-and-control server. The attack also sets up scheduled tasks to initiate an orchestrator ("IDCLIPNET_x86.dll") that manages the SPECTR plugins and FIRMACHAGENT.
The cyberattack is attributed to the UAC-0020 group, also known as Vermin, which is linked to security agencies based in Ukraine’s Luhansk region, which has been occupied by Russia since 2014.
To mitigate the cyber threat organizations are recommended to limit user account privileges by removing them from the "Administrators" group to reduce the attack surface; implement appropriate Software Restriction Policies (SRP) or AppLocker policies to prevent users from executing files with the .CHM extension and powershell.exe.
