A compromised Ukrainian Ministry of Defense email account was found sending phishing emails and instant messages to users of the ‘DELTA’ situational awareness program to infect systems with information-stealing malware.
The campaign was highlighted in a report today by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel of the malware attack.
DELTA is an intelligence collection and management system created by Ukraine with the help of its allies to help the military track the movements of enemy forces.
The system provides comprehensive real-time information with high-level integration from multiple sources on a digital map that can run on any electronic device, from a laptop to a smartphone.
Digital certificates are used for signing software code and authenticating servers, telling security products running on the OS that the application has not been tampered with and that the server operator is who they claim to be.
As part of this campaign, threat actors used email or instant messages with fake warnings that users need to update the ‘Delta’ certificates to continue using the system securely.
The malicious email contains a PDF document purportedly with certificate installation instructions, which includes links to download a ZIP archive named “certificates_rootCA.zip.”
The archive contains a digitally signed executable named “certificates_rootCA.exe,” which, upon launch, creates several DLL files on the victim’s system and launches “ais.exe,” which simulates the certificate installation process.
This step convinces the victim that the process was legitimate and reduces the chances of them realizing they have been breached.
Both the EXE files and the DLLs are protected by VMProtect, a legitimate software that is used for wrapping files in standalone virtualized machines, encrypting their content, and making AV analysis or detection impossible.
The dropped DLLs, “FileInfo.dll” and “procsys.dll,” are malware, identified by CERT-UA as ‘FateGrab’ and ‘StealDeal.’
FateGrab is an FTP file stealer targeting documents and emails of the following file formats: ‘.txt’, ‘.rtf’, ‘.xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘.doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email.’
StealDeal is an information stealer malware that can, among other things, steal internet browsing data and passwords stored on the web browser.
CERT-UA was unable to link the above operation to any known threat actors.