New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Spyware Campaign Targeting Ukraine Tied to Luhansk People’s Republic

Luhansk People’s Republic (LPR): Researchers believe that the Luhansk People’s Republic (LPR), also called the Lugansk People’s Republic, is behind a recent attack on the Ukrainian government utilizing the RatVermin Spyware.   The LPR is a proto-state located in eastern Ukraine which declared its independence in 2014.  The spear-phishing campaign targeted members of the Ukrainian government and military beginning as long ago as 2014. The campaign utilizes emails containing malicious LNK files with PowerShell scripts which then download a second payload.  In one of the instances, the sender of the email impersonated a member of the U.K. defense contractor Armtrac selling de-mining machines.  In this instance, legitimate Armtrac documents were attached to the email in addition to the malicious document.  The network infrastructure tied to the second payload has been previously tied to the RatVermin RAT.  During the analysis of the campaign, it was found that the command-and-control server was registered using the same email as several other LPR domains, including the official website of the LPR’s Ministry of State Security. Other domains included fake news sites which mimic major news outlets in Ukraine.

Analyst Notes

Ukraine and the LPR have been at constant odds since the LPR declared their independence five years ago, with the continued ongoing turmoil in the region it is not surprising that the LPR would be interested in carrying out a cyber-espionage campaign against the Ukrainian government.