The Computer Emergency Response Team of Ukraine (CERT-UA) announced on Tuesday that they successfully foiled a cyber attack against a critical energy infrastructure facility in Ukraine. The attack began with a phishing email, which contained a link to a malicious ZIP archive that triggered the infection process.
Upon clicking the link, the victim’s computer would download the ZIP archive, which contained three decoy JPG images and a BAT file called ‘weblinks.cmd’. This activity was attributed to the Russian threat group known as APT28, also known as BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE.
When the CMD file was executed, it would open several decoy web pages, create .bat and .vbs files, and launch a VBS file that would subsequently execute the BAT file.
In the next phase of the attack, the compromised host would run the “whoami” command to gather information and exfiltrate it. Additionally, the attacker would download the TOR hidden service to route malicious traffic.
To maintain persistence, the attacker utilized a scheduled task, while remote command execution was achieved using cURL through a legitimate service called webhook.site. Interestingly, webhook.site was recently disclosed as being used by a threat actor known as Dark Pink.
Fortunately, the attack was unsuccessful due to restricted access to Mocky and the Windows Script Host (wscript.exe). It’s worth noting that APT28 has previously been associated with the use of Mocky APIs.
This disclosure comes at a time when Ukraine continues to face phishing attacks, some of which exploit an off-the-shelf malware obfuscation engine called ScruptCrypt to distribute AsyncRAT.
Additionally, another cyber assault, attributed to GhostWriter (also known as UAC-0057 or UNC1151), capitalized on a recently exposed zero-day vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike, according to CERT-UA.
CyberSec84 | Cybersecurity news. 
Leave a comment