Russian hackers send emails with malware, taking advantage of national mobile operator Kyivstar's outage

Friday, 22 December 2023, 14:21

Russian hackers are taking advantage of the outage at Kyivstar, one of Ukraine’s national mobile operators, to send out emails containing malware to Ukrainians using archive files named "Amount owed by subscriber", "Request", "Documents", etc., the State Service of Special Communications has warned.

Source: State Service of Special Communications and Information Protection of Ukraine (SSSCIP) and the Government Computer Emergency Response Team (CERT-UA)

Quote from SSSCIP: "Hackers persist in exploiting issues that are bothering thousands of Ukrainians to spread malware. This time, experts from CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, have uncovered a massive email campaign with the subject line 'Amount owed under your Kyivstar contract' and an attachment named 'Amount owed by subscriber.zip'.

Ukrainians have received emails regarding 'Amount owed under your Kyivstar contract', which contained attachments in the form of an archive named 'Amount owed by subscriber.zip' with attached password-protected RAR archives.

Moreover, CERT-UA has detected the spreading of emails with the subject heading 'Security Service of Ukraine (SSU) request" with an attachment named 'Documents.zip'. It includes a password-protected RAR archive 'Request.rar' followed by an executable file, 'Request.exe'. As in the previous case, opening the archive and running the file leads to exposure to a RemcosRAT remote access programme."

Details: The mobile operator Kyivstar experienced a large-scale outage on the morning of 12 December.

The CERT-UA team detected a massive email distribution with the subject line "Amount owed under your Kyivstar contract" and the attachment "Amount owed by subscriber.zip" on 21 December.

The ZIP archive contains a two-part RAR-archive "Amount owed by subscriber.rar", containing a password-protected archive bearing the same name. The latter includes a document with the macro "Customer debt.doc".

Once activated, the macro code will download the file "GB.exe" to the computer and run it using the SMB protocol via the file explorer (explorer.exe).

On its part, this file is an SFX archive containing a BATCH script to download the executable file "wsuscr.exe" from bitbucket and run it, compiled using SmartAssembly .NET, which is intended to decrypt and run the RemcosRAT remote control software (licence ID: 5639D40461DCDD07011A2B87AD3C9EDD).

It was found that emails with the subject heading "SSU request" are also being sent out, with an attachment "Documents.zip" containing a password-protected RAR archive "Request.rar" divided into three parts. The latter includes the executable file "Request.exe". Opening the archive and running the executable files exposes the computer to RemcosRAT (licence ID: 5639D40461DCDD07011A2B87AD3C9EDD).

Apart from the typical UAC-0050 location of RemcosRAT control servers on the technical site of the Malaysian hosting provider Shinjiru, they are also located within the autonomous system AS44477 (STARK INDUSTRIES SOLUTIONS LTD).

Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) reports that this is not the first such attack by the UAC-0050 group.

Cybercriminals have recently sent out emails about "legal claims" and "debts". The attack targeted users from Ukraine and Poland.

The UAC-0050 group has also attempted to steal data by pretending to act on behalf of the Ukrainian Foreign Ministry, sending malicious emails supposedly from the Security Service of Ukraine, the Pechersk District Court of Kyiv, and Ukrtelecom, Ukraine's telephone company.

Emails with malicious attachments were also sent out last year claiming to be from the State Emergency Service, the Ukrainian General Staff’s press service, the SSU, the SSSCIP, and even CERT-UA itself.

Support UP or become our patron