Headline
Russian Hackers Tricked Ukrainians with Fake "DoS Android Apps to Target Russia"
Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and
Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.
Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia’s Federal Security Service (FSB).
“This is the first known instance of Turla distributing Android-related malware,” TAG researcher Billy Leonard said. “The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.”
It’s worth noting that the onslaught of cyberattacks in the immediate aftermath of Russia’s unprovoked invasion of Ukraine prompted the latter to form an IT Army to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.
The decoy app was hosted on a domain masquerading as the Azov Regiment, a unit of the National Guard of Ukraine, calling on people from around the world to fight “Russia’s aggression” by initiating a denial-of-service attack on the web servers belonging to “Russian websites to overwhelm their resources.”
Google TAG said the actors drew inspiration from another Android app distributed through a website named “stopwar[.]pro” that’s also designed to conduct DoS attacks by continually sending requests to the target websites.
That said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.
Additionally, the Sandworm group (aka Voodoo Bear) has been connected to a separate set of malicious activities leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.
UAC-0098, a threat actor that CERT-UA last month warned of distributing tax-themed documents carrying a Follina exploit, has also been assessed to be a former initial access broker with ties to the Conti group in charge of disseminating the IcedID banking trojan.
Other kinds of cyber activity include credential phishing attacks mounted by an adversary referred to as COLDRIVER (aka Callisto) aimed at government and defense officials, politicians, NGOs and think tanks, and journalists.
These involve sending emails either directly, including the phishing domain or containing links to documents hosted on Google Drive and Microsoft OneDrive that, in turn, feature links to an attacker-controlled website designed to steal passwords.
The latest developments are yet another indication of how Russian threat actors are exhibiting continued signs of increasing sophistication in their attempts to target in ways that highlight their evolving techniques.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather
A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The
Categories: Threat Intelligence Tags: APT Tags: rat Tags: russia The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. (Read more...) The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.
The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.
Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you! Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in
"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.