CERTUA has issued a warning regarding a new phishing campaign by the Vermin hacking collective, targeting Ukraine [4] [6].
Description
This threat actor group [3], also known as UAC-0020 [3] [6], is believed to be linked to the Luhansk People’s Republic and acting on behalf of the Kremlin [5]. They have resurfaced with a new offensive tool called FIRMACHAGENT [6]. The campaign involves phishing emails with a lure related to prisoners of war at the Kursk front [6], leading to a ZIP file with a CHM file containing an obfuscated PowerShell script. Opening the file installs components of spyware SPECTR and the new FIRMACHAGENT malware, which work together to steal and transmit sensitive data to remote servers controlled by the attackers [4]. Vermin [1] [2] [3] [4] [5] [6], suspected to have ties to security agencies [4], has been involved in cyberattacks targeting defense forces [4]. Organizations are advised to limit user privileges and prevent the execution of CHM files and powershell.exe to reduce the attack surface [6]. Security professionals can use Sigma rules from SOC Prime Platform to detect and counter these threats in real time [6], as the rules are compatible with various security solutions and mapped to the MITRE ATT&CK framework [6]. Additionally, Uncoder AI can help in investigating IOCs provided in the CERTUA#10742 alert [6]. This latest campaign highlights the evolving tactics of Vermin and emphasizes the importance of staying vigilant against sophisticated cyber threats [4].
Conclusion
This new phishing campaign by the Vermin hacking collective poses a serious threat to organizations in Ukraine. It is crucial for security professionals to take proactive measures to mitigate the risks posed by the FIRMACHAGENT malware. Staying informed about evolving tactics and utilizing advanced security solutions are essential in defending against sophisticated cyber threats in the future.
References
[1] https://cyber.vumetric.com/security-news/2024/08/21/cert-ua-warns-of-new-vermin-linked-phishing-attacks-with-pow-bait/
[2] https://thehackernews.com/2024/08/cert-ua-warns-of-new-vermin-linked.html
[3] https://securityaffairs.com/167327/apt/cer-ua-vermin-phishing-campaign.html
[4] https://cybermaterial.com/new-vermin-linked-phishing-campaign-unveiled/
[5] https://www.infosecurity-magazine.com/news/vermin-cyberattacks-ukraine-kursk/
[6] https://socprime.com/blog/uac-0020-vermin-activity-detection-a-new-phishing-attack/