Malware Disguised as Cyber Tool

People are being infected with password-stealing Trojans due to a new malware campaign taking advantage of their willingness to support Ukraine’s cyberwarfare against Russia.

Ukraine announced last month that it was creating a new IT Army made up of volunteers worldwide that would conduct attacks against Russian entities using cyberspace.

Many people throughout the world have come out in support of this initiative, even though it is indeed illegal to target Russian agencies and websites.

The use of unwitting users seeking tools to conduct their own cyberattacks against Russian entities is one of the new developments that cybercriminals are taking advantage of during the conflict.

These tools have been advertised across a variety of social media platforms as ways to target Russian websites as interest in crowd-sourced attacks has grown in recent days.

Imitating a real DDoS tool

Using malware that mimics a DDoS tool called the “Liberator,” Cisco Talos researchers have recently discovered this malicious campaign targeting the Ukrainian IT Army.

The Ukrainian Minister for Digital Transformation, Mykhaylo Fedorov, pushed for action against Russia after the country’s invasion began, calling for the formation of an IT Army, comprised of volunteer soldiers, to execute a gigantic offensive against them.

Apart from this, here the hackers of the IT Army hacking group have coordinated all their efforts on Telegram and planned their cyber-attacks.

In this event, the threat actors are targeting the Ukrainian sympathizers by luring them with offensive cyber tools to target the Russian entities and websites.

Cybersecurity analysts at Cisco Talos have claimed that the fake DDoS tool, “Liberator” is a website bomber and it could be used against Russian propaganda outlets.

Those distributed via Telegram, however, contain malware payloads and there is no way to tell them apart since they are not digitally signed. The versions downloaded from the real site are “clean”, and they are likely illegal to use.


Using a dropper posed as the Disbalancer[.]exe tool, this malicious campaign uses an executable that is protected by ASProtect, a well-known executable packager.

However, here, debugging the malware execution will produce a general error message for cybersecurity researchers. Following the anti-debug checks, the malware launches Regsvcs.exe, the .NET framework component included with the malware.

In this whole process, the malware loads the Phoenix information stealer in memory of the infected system of the victim. By exploiting this infostealer, a threat actor can steal the following data from:-

  • Web browsers
  • VPN tools
  • Discord
  • Filesystem locations

The data stolen by the infostealer are directly sent to a remote IP address (95[.]142[.]46[.]35) on port 6666.

Don’t Participate in these Cyberattacks

It is understandable that numerous people feel motivated to act against this unprovoked large-scale military invasion, but the fact is that participating in these ongoing cyberattacks is never a good idea.

The law enforcement agencies of the country in which the user resides could find trouble if the user engages in DDoS, defacement, or network breaching attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.