Ukraine’s technical safety and intelligence service is warning of a brand new wave of cyber assaults which are geared toward getting access to customers’ Telegram accounts.
“The criminals despatched messages with malicious hyperlinks to the Telegram web site to be able to achieve unauthorized entry to the information, together with the chance to switch a one-time code from SMS,” the State Service of Particular Communication and Info Safety (SSSCIP) of Ukraine mentioned in an alert.
The assaults originate with Telegram messages alerting recipients {that a} login had been detected from a brand new machine positioned in Russia, urging the customers to verify their accounts by clicking on a hyperlink.
The URL, in actuality a phishing area, prompts the victims to enter their telephone numbers in addition to the one-time passwords despatched through SMS which are then utilized by the menace actors to take over the accounts.
The modus operandi mirrors that of an earlier phishing assault that was disclosed in early March that leveraged compromised inboxes belonging to completely different Indian entities to ship phishing emails to customers of Ukr.internet to hijack the accounts.
In one other social engineering marketing campaign noticed by Ukraine’s Laptop Emergency Response Crew (CERT-UA), war-related electronic mail lures had been despatched to Ukrainian authorities companies to deploy a chunk of espionage malware.
The emails include an HTML file attachment (“Struggle Criminals of the Russian Federation.htm”), opening which culminates within the obtain and execution of a PowerShell-based implant on the contaminated host.
CERT-UA attributed the assault to Armageddon, a Russia-based menace actor with ties to the Federal Safety Service (FSB) that has a historical past of hanging Ukrainian entities since at the least 2013.
In February 2022, the hacking group was linked to espionage assaults concentrating on authorities, navy, non-government organizations (NGO), judiciary, legislation enforcement, and non-profit organizations with the principle objective of exfiltrating delicate info.
Armageddon, additionally recognized by the moniker Gamaredon, can be believed to have singled out Latvian authorities officers as a part of a associated phishing assault in direction of the tip of March 2022, using war-themed RAR archives to ship malware.
Different phishing campaigns documented by CERT-UA in latest weeks have deployed a wide range of malware, together with GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, to not point out a Ghostwriter-spearheaded operation to put in the Cobalt Strike post-exploitation framework.
The disclosure comes as a number of superior persistent menace (APT) teams from Iran, China, North Korea, and Russia have capitalized on the continuing Russo-Ukrainian warfare as a pretext to backdoor sufferer networks and stage different malicious actions.