The Russian-backed UNC5812 threat group have been targeting Ukrainian military recruits with Android and Windows malware strain.
Based on reports, the malicious campaign uses a “Civil Defense” identity, a website, and a specially generated Telegram channel to spread malware via fake recruiting avoidance software called “Sunspinner.”
In addition, the campaign targets Windows and Android devices with distinct malware strains, respectively. This tactic allows attackers to steal data and spy on targeted users in real-time.
UNC5812 poses as a trustworthy entity that supports the Ukrainian forces to deceive the targeted audience.
Investigations reveal that UNC5812 does not impersonate any legitimate Ukrainian entity in this campaign. However, the group promoted itself as Ukraine-friendly, supplying Ukrainian conscripts with helpful software tools and assistance.
Additionally, this fake persona uses a Telegram channel and a website to engage prospected victims and give narratives critical of Ukraine’s recruiting and mobilisation efforts.
On the other hand, Google spotted this campaign last month, and the “Civil Defense” channel on Telegram already had 80,000 members. The campaign redirected the users deceived into accessing Civil Defense’s website to a download page for malicious apps. It introduced a crowd-sourced mapping tool that can assist users in tracking and evading recruiters.
The company then labels this software as “Sunspinner. ” The app includes a map with markers, which Google claims is inaccurate or false. However, the operators do not care if they serve false information, as the app’s primary goal is to conceal the installation of malware that will run in the background.
Furthermore, researchers revealed that the bogus programs are available for Windows and Android, and they also suspect that the threat actors might soon include iOS and macOS.
The Windows download campaign installs the Pronsis Loader. This payload is a malware loader that downloads other malicious payloads from UNC5812’s server, such as the ‘PureStealer’ infostealer malware.
The downloaded Android APK file contains CraxsRAT, a commercially available backdoor. CraxsRAT allows its operators to track the victim’s position in real-time, log keystrokes, activate audio recordings, collect contact lists, read SMS messages, exfiltrate files, and harvest passwords.
Ukrainian Windows and Android users should be careful with these schemes. Threat actors have now utilised a pro-Ukrainian strategy to deceive targets and launch malware. Therefore, users should double-check the website that will be accessed to avoid falling victim to these deceitful campaigns.