Cyber-criminals are exploiting Russia’s ongoing invasion of Ukraine to commit digital fraud.
In a blog post published Friday, researchers at Bitdefender Labs said they had witnessed “waves of fraudulent and malicious emails,” some of which were engineered to exploit the charitable intentions of global citizens towards the people of Ukraine.
Since March 1, researchers have been tracking two specific phishing campaigns designed to infect victims with Agent Tesla and Remcos removed access Trojans.
Agent Tesla is a malware-as-a-service (MaaS) RAT and data stealer that can be used to exfiltrate sensitive information, including credentials, keystrokes and clipboard data from victims.
Remcos RAT is typically deployed via malicious documents or archives to give the attacker full control over their victims’ systems. Once inside, attackers can capture keystrokes, screenshots, credentials and other sensitive system data and exfiltrate it.
The first campaign detected by threat researchers was observed targeting organizations in the manufacturing industry via a .zip attachment named ‘REQ Supplier Survey.’ Recipients of the email are asked to complete a survey about their suppliers and backup plans in response to the assault on Ukraine.
“According to our threat researchers, the malicious payload is downloaded and deployed from a Discord link directly on the victim’s machine,” said Bitdefender Labs.
“Interestingly though, interacting with the malicious file will also download a clean version of Chrome on the users’ device – most likely an attempt at diverting users.”
Most of these attacks (86%) appeared to originate from IP addresses in the Netherlands. Targets for the malicious emails were spread all over the world, including South Korea (23%), Germany (10%), the UK (10%), the US (8%), the Czech Republic (14%), Ireland (5%), Hungary (3%), Sweden (3%) and Australia (2%).
The second campaign observed by researchers involved attackers impersonating a South Korean-based healthcare company to deliver the Remcos RAT via an Excel attachment (SUCT220002.xlsx).
Recipients are asked whether they want to put their orders on hold because shipments have been affected by the largest land invasion Europe has suffered since World War II.
Most of these attacks (89%) seemed to stem from IP addresses in Germany, with most intended victims located in Ireland (32%), India (17%), the US (7%) and the UK (4%).