The compromised email of a Ukrainian Ministry of Defense employee was detected by the Computer Emergency Response Team of Ukraine sending phishing emails to users of the DELTA situational awareness program to install information-stealing malware. DELTA is an intelligence platform created by Ukraine and its allies to help track the movement of enemy forces. The platform provides real-time information from multiple sources on a digital map that can run on any electronic device. Digital certificates are used by the platform for code-signing and authenticating servers, telling security products that the application has not been tampered with and that the server operator is who they claim to be.

The phishing emails used in this campaign prompted users with a fake warning that the user had to update their DELTA certificates to continue using the system securely. Attached to the email is a PDF with installation instructions, which includes a link to download a ZIP archive. Once unpacked, the archive contains a digitally signed EXE which created two DLL files upon launch. Additionally, a separate executable is also launched that simulates the certificate installation process to better convince the victim that this was a legitimate service installation.

The two DLL files are assessed to be “FateGrab” and “StealDeal”. FateGrab is an FTP file stealer, while StealDeal is an information stealer with many capabilities including browser credential harvesting. Both the DLLs and the EXE files were protected using VMProtect, which encrypted the files to hinder their detection and analysis. The Computer Emergency Response Team of Ukraine was not able to attribute this campaign to any known threat actor.