The developing crisis in Ukraine is now being taken advantage of by threat actors looking to leverage the fear of war spreading to other nations. Two separate campaigns have been seen in the wild. The first campaign involves the well-known malware-as-a-service Agent Tesla and is targeting manufacturing corporations through malspam campaigns. Users are receiving emails with ZIP attachments that are asking them to fill out a survey regarding response plans in relation to the Ukraine crisis. The origin IP addresses in this campaign are coming from Hungary and the Netherlands and have reached the inboxes of people in around nine different countries, including the United States. The second malspam campaign has seen threat actors posing as a South Korean healthcare company that sells in-vitro diagnostic analyzers. The emails received by potential victims state that orders from the company have been put on hold due to the issues in Ukraine. It then asks the receiver to view an Excel document regarding their order. The Excel document contains the Remcos RAT, typically used to capture keystrokes, screenshots, credentials, and other sensitive system information and then sends it to Command-and-Control (C2) servers that are under the control of the threat actors. These emails have also reached users in the US.
Analyst Notes
It is no surprise that threat actors are attempting to take advantage of unfortunate circumstances to benefit themselves. This is likely not going to be the last campaign that we see referencing the Ukrainian conflict. Regardless of the time or situation, users should always be skeptical of emails coming from unknown senders that contain attachments or ask for credentials. Verifying the validity of an email should be common practice moving forward.
https://cyware.com/news/cybercriminals-use-war-as-a-lure-for-malware-propagation-5f553484
https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine
