Ukraine has been facing escalating cyberattacks from Russian state-sponsored hacking group Gamaredon, also known as Shuckworm or Armageddon, since Russia's invasion began six months ago, with the latest wave of attacks reported from July 15 to Aug. 8, according to BleepingComputer.
Gamaredon's latest attacks involved the use of phishing messages with a self-extracting 7-Zip archive that facilitates the retrieval of an XML file that prompts PowerShell info-stealer execution, a report from Symantec revealed. Moreover, the Pterodo and Giddome backdoors retrieved through VBS downloaders have also been leveraged by Gamaredon to enable audio recording, screenshot capturing, and keystroke logging and exfiltration, as well as additional payload execution.
Remote desktop protocol tools AnyDesk and Ammyy Admin have also been launched in the latest campaign, researchers found. The findings follow the disclosure of Ukraine's Computer Emergency Response Team regarding a novel Gamaredon phishing operation involving the use of compromised email accounts for HTM attachment delivery.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.
Threat actors have leveraged the ZeroFont phishing attack technique, which initially involved the insertion of hidden characters or words in emails to evade security detection systems, to modify message previews as shown on Microsoft Outlook and other email clients, BleepingComputer reports.
BleepingComputer reports that individuals who have filed claims against bankrupt cryptocurrency lender Celsius have been subjected to phishing attacks involving the impersonation of the lender's claims agent, Stretto.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news