An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data.
The malware campaign uses a decoy site to lure users into fake news bulletins that supposedly contain unreleased information about the situation in Ukraine.
These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.
The campaign was uncovered by threat analysts at Malwarebytes, who have provided all the details and indicators of compromise in their write-up.
Campaign details
The domain used in these attacks is "collaboration-bw[.]de," which the threat actor registered when the domain expired and then cloned the look of the real site.
Visitors of the site will find a file called "2022-Q2-Bedrohungslage-Ukraine," promising information about the situation in Ukraine and offered for free download.
The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.
The downloaded ZIP archive contains a CHM file consisting of several compiled HTML files. If the victim opens it, they are served a bogus error message.
In the background, however, the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.
The script eventually drops two files onto the victim's computer, the RAT in .txt file form and a .cmd file that helps execute it through PowerShell.
PowerShell RAT
The custom PowerShell RAT that hides in "Status.txt" begins its malicious operation by collecting basic system information and assigning a unique client ID.
This information and anything else stolen from the host computers is exfiltrated to a German domain, "kleinm[.]de".
To bypass Windows AMSI (Anti-malware Scan Interface), the RAT uses an AES-encrypted function named "bypass," decrypted on the fly using a generated key.
The main capabilities of the RAT are the following:
- Download files from the C2 server
- Upload files to the C2 server
- Load and execute a PowerShell script
- Execute a specific command
However, Malwarebytes does not give specific examples of how the threat actor used the RAT and its capabilities in the wild, so the campaign's goals remain unknown.
"It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution," explains Malwarebytes in the report.
"Based on motivation alone, we hypothesize that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak."
The critical takeaway is to be cautious with file downloads from the web, as even known and previously trustworthy websites may have quietly changed hands.
When it comes to news sites like this one, offering stories in file format instead of hosting everything on a web page is rarely justified by legitimate reasons, so treat it as a red flag.
Comments
ThomasMann - 1 year ago
Yes, the Germans have also turned into manipulated idiots, but no one should forget that the masses in ALL countries are retarded...
There are plenty of reliable sources in Germany that explain the Ukraine story, but after the estrangement caused by the management of the covid hysteria, almost everybody now wants to belong to the majority again. They simply no longer want to know!
There is no question that Putin is the same garbage as Biden and the others, there is no good side in this conflict here. But putting all the blame on Putin is just being wrong and stupid. His offer not to start any war was INTENTIONALLY ignored for weeks, or even years by the american governments of Obama, Trump and Biden.. And why wouldn't they? Only all the other involved countries stand to loose enormously.
The US will make windfall profits through weapons sales... and their sales of ugly, dirty gas....
And as always others fight america's wars, and others countries will be destroyed, the US stays clean, as always. And the americans the same ugly ingnorant idiots.
One can hope that the war spills into western Europe, and the idiots there get what they deserve, for sticking with the US. And the second hope is, that the US itself one day will make the same mistake in the Taiwan affair, because the Chinese will not prefer to "nice", they will bring that war the US. There will be Champagne.....
We others live in the same world of barbaric criminal countries, with the US number one, Israel #2, China #3 and Russia #4.
Have a nice future...
yawnshard - 1 year ago
What is with this profuse argumentum ad hominem? If everyone else is at fault, it might be in fact only you in reality being wrong :)
Try saying out loud to yourself in front of a mirror what you just wrote and think about how it sounds to other people.
ThomasMann - 1 year ago
Typical retarded answer ...
Only complete morons cannot grasp the simple fact that quantity does not mean quality.
Dont think about it, you might injure yourself.
yawnshard - 1 year ago
You are being too obvious at trolling, this is not 4chan honey <3
Finesse and subtlety are a form of art requiring years of training.
LittleDickPutin - 1 year ago
"cough troll alert, troll alert"