The developing crisis in Ukraine is now being taken advantage of by threat actors looking to leverage the fear of war spreading to other nations. Two separate campaigns have been seen in the wild. The first campaign involves the well-known malware-as-a-service Agent Tesla and is targeting manufacturing corporations through malspam campaigns. Users are receiving emails with ZIP attachments that are asking them to fill out a survey regarding response plans in relation to the Ukraine crisis. The origin IP addresses in this campaign are coming from Hungary and the Netherlands and have reached the inboxes of people in around nine different countries, including the United States. The second malspam campaign has seen threat actors posing as a South Korean healthcare company that sells in-vitro diagnostic analyzers. The emails received by potential victims state that orders from the company have been put on hold due to the issues in Ukraine. It then asks the receiver to view an Excel document regarding their order. The Excel document contains the Remcos RAT, typically used to capture keystrokes, screenshots, credentials, and other sensitive system information and then sends it to Command-and-Control (C2) servers that are under the control of the threat actors. These emails have also reached users in the US.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased