CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities

October 26, 2024

The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed a new malicious email campaign targeting government agencies, enterprises, and military entities.

"The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture," CERT-UA said. "These emails contain attachments in the form of Remote Desktop Protocol ('.rdp') configuration files."

Once executed, the RDP files establish a connection with a remote server, enabling the threat actors to gain remote access to the compromised hosts, steal data, and plant additional malware for follow-on attacks.

Infrastructure preparation for the activity is believed to have been underway since at least August 2024, with the agency stating that it's likely to spill out of Ukraine to target other countries.

CERT-UA has attributed the campaign to a threat actor it tracks as UAC-0215. Amazon Web Service (AWS), in an advisory of its own, linked it to the Russian nation-state hacking group known as APT29.

"Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn't the target, nor was the group after AWS customer credentials," CJ Moses, Amazon's chief information security officer, said. "Rather, APT29 sought its targets' Windows credentials through Microsoft Remote Desktop."

The tech giant said it also seized the domains the adversary was using to impersonate AWS in order to neutralize the operation. Some of the domains used by APT29 are listed below -

ca-west-1.mfa-gov[.]cloud
central-2-aws.ua-aws[.]army
us-east-2-aws.ua-gov[.]cloud
aws-ukraine.cloud
aws-data.cloud
aws-s3.cloud
aws-il.cloud
aws-join.cloud
aws-meet.cloud
aws-meetings.cloud
aws-online.cloud
aws-secure.cloud
s3-aws[.]cloud
s3-fbi[.]cloud
s3-nsa[.]cloud, and
s3-proofpoint[.]cloud

The development comes as CERT-UA also warned of a large-scale cyber attack aimed at stealing confidential information of Ukrainian users. The threat has been cataloged under the moniker UAC-0218.

The starting point of the attack is a phishing email containing a link to a booby-trapped RAR archive that purports to be either bills or payment details.

Present within the archive is a Visual Basic Script-based malware dubbed HOMESTEEL that's designed to exfiltrate files matching certain extensions ("xls," "xlsx," "doc," "docx," "pdf," "txt," "csv," "rtf," "ods," "odt," "eml," "pst," "rar," and "zip") to an attacker-controlled server.

"This way criminals can gain access to personal, financial and other sensitive data and use it for blackmail or theft," CERT-UA said.

Furthermore, CERT-UA has alerted of a ClickFix-style campaign that's designed to trick users into malicious links embedded in email messages to drop a PowerShell script that's capable of establishing an SSH tunnel, stealing data from web browsers, and downloading and launching the Metasploit penetration testing framework.

Users who click the link are directed to a fake reCAPTCHA verification page that prompts them to verify their identity by clicking on a button. This action copies the malicious PowerShell script ("Browser.ps1") to the user's clipboard and displays a popup window with instructions to execute it using the Run dialog box in Windows.

CERT-UA said it has an "average level of confidence" that the campaign is the work of another Russian advanced persistent threat actor known as APT28 (aka UAC-0001).

The cyber offensives against Ukraine come amidst a report from Bloomberg that detailed how Russia's military intelligence agency and Federal Security Service (FSB) systematically targeted Georgia's infrastructure and government as part of a series of digital intrusions between 2017 to 2020. Some of the attacks have been pinned on Turla.