Ukraine Identifies Central Asian Cyberespionage CampaignOfficial Address of Ukraine's Embassy in Tajikistan Used to Send Phishing Emails
Possibly Russian hackers likely compromised the official email address of Ukraine's embassy in Tajikistan to send phishing emails to organizations located in central Asia, Israel and India.
The Computer Emergency Response Team of Ukraine disclosed Monday that an unidentified government agency had received emails from the Tajikistani outpost between April 18 and April 20. The embassy inbox was probably compromised, CERT-UA said.
Some phishing emails contained a document loaded with malicious macros, and others encouraged recipients to download the document from the internet.
The espionage tools included a backdoor, keylogger and a malicious program CERT-UA calls Stillarch. The Ukrainian government is tracking the campaign as UAC-0063.
The possible Russia connection comes from Stillarch. In analysis earlier this month, Bitdefender dubbed the same malware DownEx (see: Russian Group Possibly Behind Cyberespionage in Central Asia).
Security researchers from Bitdefender wrote that they don't have hard evidence that Russian state hackers are behind DownEx and the hacking incidents in Central Asia associated with it. Among the indicators that suggested a Moscow link was a bait document created with a cracked version of Microsoft Office 2016 known as "SPecialiST RePack" that is popular in Russian-speaking countries. DownEx is also written in two programming languages, Python and C++, a practice previously observed in APT28, aka Fancy Bear.
Ukrainian cyber defenders say the hackers used obfuscation methods to stymie analysis of the malware, including deploying Pyarmor and the Themida packer.