Ukraine targeted by Russian APT with fraudulent Windows Update guides

BleepingComputer reports that several Ukrainian government organizations have been targeted by the Russian state-sponsored hacking operation APT28, also known as Fancy Bear, in new attacks involving the use of malicious emails purportedly containing Windows Update guidelines for defending against cyberattacks. APT28 leveraged @outlook.com email addresses with real employee names to deliver the malicious emails, which would recommend the execution of a PowerShell command that downloads a PowerShell script before downloading another PowerShell payload, reported Ukraine's Computer Emergency Response Team. Exploitation of the "systeminfo" and "tasklist" commands are being facilitated by the second-stage payload to facilitate the collection of data, which is then sent to the Mocky service API. Such findings come after Russia was noted by Google's Threat Analysis Group to be the source of nearly 60% of phishing attacks against Ukraine, with APT28 being a significant actor. APT28 was also reported by the U.S., U.K., and Cisco to have targeted a zero-day flaw in Cisco routers to facilitate intelligence collection efforts using the Jaguar Tooth malware.