The cybersecurity analysts at Proofpoint security firm have recently discovered a new phishing campaign to target the European government personnel by aiding Ukrainian refugees.
In this phishing campaign, the state-sponsored actors send out the phishing emails purporting to be from the Security Service of Ukraine, apparently containing an evacuation plan.
While the attachments that are attached by the threat actors in those emails are malicious and contain software for stealing personal data.
After analyzing the infection chain this phishing campaign has been dubbed as “Asylum Ambuscade” and in this campaign, the threat actors are targeting the private email accounts of the armed service members of Ukraine.
The malware distributed in this phishing campaign is based on Microsoft Remote Utilities software for remote access to the Windows PCs, so, this malware is completely new and technically is not complicated.
The operators behind this campaign are still unknown, but, it’s been speculated that it might be TA445. This phishing attack used an “evacuation plan” against an unnamed European government organization providing assistance to Ukrainian refugees.
And in this campaign, the phishing email was sent from a hacked email address ending with @ukr[.]net and considered to belong to a military member.
The email contains a document containing SunSeed malware which gives access to the infected computer and allows the threat actors to load on it additional harmful programs.
However, those who are responsible for transportation, distribution of funds and budget, administration, and movement of people across Europe were chosen as their victims.
Through this malicious phishing campaign, the attackers might be attempting to collect all the essential information on logistics related to the movement of the following things in NATO countries:-
Here’s what the Proofpoint researchers stated:-
“This activity, independent of attribution conclusions, represents an effort to target NATO entities with compromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies, and Ukraine.”
The number of phishing messages has increased significantly in recent times, but till now nothing is known about the successful attacks. Moreover, the cybersecurity analysts attributed all these attacks to the hacker group Ghostwriter (UNC1151).