HQ/EMEAFind out how we can help your business
Ukraine’s DELTA military system gets infected with infostealing malware after a compromised email account from the Ukrainian Ministry of Defence spread phishing emails containing the payload.
CERT-UA has highlighted the campaign in their recent announcement, which warned their military forces to be wary of the malware attack.
Ukraine’s DELTA military service is an intelligence collection and management system designed by the country to aid its allies in tracking the movements of their enemies. The system gives real-time information with high-level integration from several sources on a digital map that could operate on any electronic device, such as a smartphone or laptop.
Digital certificates are commonly utilised for authenticating servers and signing software code, which tells security products operating on the Operating System that the app has not been manipulated and that the server operators are who they claim to be.
The attackers focus on distributing phishing messages to target the DELTA military system.
Based on reports, the threat actors utilised instant messages and emails that contained fake warnings about users needing to update their certificates, which led to the compromise of the DELTA military system.
Moreover, the malicious messages include a PDF document with certificate installation instructions that have links that redirect the user to a website that has a downloadable ZIP archive.
The archive has a digitally signed executable that creates multiple DLL files on the victim’s system and deploys ais[.]exe, which simulates the certificate installation process. This method deceives the victim that the process is safe and would not raise suspicions.
Furthermore, the DLLs and the EXE files are protected by legitimate software that is used for wrapping files in virtualised devices, encrypting content, and bypassing AV analysis.
CERT-UA said that the dropped DLLs called procsys[.]dll and FileInfo[.]dll are both malware called StealDeal and FateGrab.
StealDeal is an infostealer malware that could steal internet browsing details and passwords stored on the search engine. On the other hand, FateGrab is an FTP file stealer that targets emails and documents in a specific format.
The Ukrainian CERT is yet to find proof that could help them link the attack to any known threat groups. However, Russian threat groups are always the most plausible suspects.
