The Computer Emergency Response Team of Ukraine (CERT-UA) warns of massive cyberattacks targeting telecommunication operators. According to the report, CERT-UA received information from a participant in the information exchange on the mass mailing of e-mails among media organizations of Ukraine including radio stations, newspapers, news agencies, etc titled “LIST of links to interactive maps”.
CERT-UA team says more than 500 destination email addresses have been identified. These emails contain an attached document. Upon opening the attachment, may begin downloading of CrescentImp malware.
Experts warn that cybercriminals have been increasingly resorting to email spamming from compromised addresses of public institutions.
A report says the attackers continue to exploit vulnerability tracked as (CVE-2022-30190) and are increasingly using e-mails from compromised government e-mail addresses.
A remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) is currently tracked as CVE-2022-30190. The security issue can be triggered by either opening or selecting a specially crafted document and threat actors have been exploiting it in attacks since at least April 2022.
Infection chain dropping CrescentImp malware
Therefore, this activity is tracked by UAC-0113, attributed to the Sandworm group with a medium certainty level. Notably, this group was involved in coordinating a massive attack on the energy sector of Ukraine in April.
Sandworm is a Russian threat actor associated (in MITRE’s ATT&CK catalogue) with Russia’s GRU military intelligence service and possibly best known for its role in the 2015 and 2016 cyberattacks against sections of Ukraine’s power grid. This group has also been fingered for the 2017 NotPetya pseudo-ransomware attack and 2018’s Olympic Destroyer incident.
CERT-UA has given a set of indicators of compromise to help defenders identify CrescentImp infections. Nevertheless, it is unclear what type of malware family CrescentImp belongs to or its functionality. The hashes from CERT-UA show no detection at the moment on the Virus Total scanning platform.