The compromised email of a Ukrainian Ministry of Defense employee was detected by the Computer Emergency Response Team of Ukraine sending phishing emails to users of the DELTA situational awareness program to install information-stealing malware. DELTA is an intelligence platform created by Ukraine and its allies to help track the movement of enemy forces. The platform provides real-time information from multiple sources on a digital map that can run on any electronic device. Digital certificates are used by the platform for code-signing and authenticating servers, telling security products that the application has not been tampered with and that the server operator is who they claim to be.
The phishing emails used in this campaign prompted users with a fake warning that the user had to update their DELTA certificates to continue using the system securely. Attached to the email is a PDF with installation instructions, which includes a link to download a ZIP archive. Once unpacked, the archive contains a digitally signed EXE which created two DLL files upon launch. Additionally, a separate executable is also launched that simulates the certificate installation process to better convince the victim that this was a legitimate service installation.
The two DLL files are assessed to be “FateGrab” and “StealDeal”. FateGrab is an FTP file stealer, while StealDeal is an information stealer with many capabilities including browser credential harvesting. Both the DLLs and the EXE files were protected using VMProtect, which encrypted the files to hinder their detection and analysis. The Computer Emergency Response Team of Ukraine was not able to attribute this campaign to any known threat actor.
Phishing has continued to be one of the most common means of initial access for threat actors of all skill levels. In this instance, the actor was likely trying to steal credentials and information concerning the DELTA program in order to assist with counterintelligence. Protecting against phishing campaigns is often difficult as it takes just one user to fall victim to the campaign to be successful – it is even more difficult with advanced phishing campaigns such as this that are coming from legitimate senders and include fake applications that mimic real processes. In the end, the best means to protect against phishing is to provide user training on how to identify these emails, employing an email monitoring solution to monitor URLs and attachments, and employing a defense-in-depth detection strategy to detect other techniques used post-compromise.