August 13, 2024Ravie LakshmananThreat Intelligence / Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign impersonating the Security Service of Ukraine and spreading malware that can gain remote access to desktops.

The agency is tracking the activity under the name UAC-0198. It estimates that more than 100 computers have been infected since July 2024, including those belonging to government agencies in the country.

The attack chains consist of mass distribution of emails to deliver a ZIP archive containing an MSI installer file. Opening this file leads to the deployment of malware called ANONVNC.

ANONVNC, which is based on an open-source remote management tool called MeshAgent, enables stealthy, unauthorized access to the infected hosts.

The development comes after CERT-UA blamed the UAC-0102 hacking group for phishing attacks that distributed HTML attachments that mimicked the UKR.NET login page in order to steal users’ credentials.

In recent weeks, the agency has also warned of an increase in campaigns distributing the PicassoLoader malware with the end goal of deploying Cobalt Strike Beacon on compromised systems. The attacks have been linked to a threat actor tracked as UAC-0057.

“It is reasonable to assume that the objects of interest of UAC-0057 could be both specialists of project offices and their ‘contractors’ from among the employees of the relevant local governments of Ukraine,” CERT-UA said.