The CERT-UA had recently issued a new advisory concerning threat actors targeting Ukrainian telecom service providers in a recent attack campaign. As detailed, the cybercriminals spread malicious spam messages or malspam against their victims through email with the subject ‘Free Primary Legal Aid.’
The phishing emails’ objective is to lure the victims into installing the DarkCrystal RAT or DCRat onto their computers. Once the attached file from the email is downloaded, the victims will see the password-protected file with the title ‘Algorithm of actions of members of the family of a missing serviceman LegalAid.rar,’ which will execute a PowerShell command upon opening in a macro-enabled file.
The DCRat remote access trojan first emerged in 2018. The RAT is a [.]NET-based malware that could help attackers steal data from their victims, capture screenshots, log keystrokes, harvest cookies and credentials from web browsers, and collect the computer’s information. Based on recent findings, DCRat was also found available for sale in Russian-based dark web marketplaces.
To evade security detection, the RAT operators pack the malware with an unidentified packer that conducts checking for computer names as the unpacking process is ongoing.
Ukrainian telecom service providers are among the many sectors in Ukraine that have been receiving cyberattacks since their war with Russia commenced.
Some of the most recent advisories released by CERT-UA regarding attacks on the country include threat groups targeting Ukrainian media firms using the Follina zero-day flaw to spread malware. Another warning was also published about the Russian-based APT groups, APT28 and UAC-0098, abusing the Follina zero-day to deploy Cobalt Strike beacons and other malware strains toward companies in Ukraine.
These threat actors mostly rely on phishing attacks to spread their malicious payloads, such as the Jester and IcedID malware strains included in two separate campaigns in April and May this year.
Experts believe that as long as the war between Ukraine and Russia remains active, the exchange of cyberattacks from the two opposing territories will continue to ensue. The attacks will maintain their impact on many sectors among the respective countries, including Ukraine’s telecom service providers, as the threat actors continue to upgrade their tactics.
