The government team for responding to computer emergencies in Ukraine CERT-UA found RAR-archive “Диверсанти.rar”, which contains RAR-archive “Диверсанти 21.03.rar”, which, in turn, contains SFX-archive “Диверсанти filercs.rar” (to mask the extension, the file name contains the right-to-left override (RTLO) character).
The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “dhdhk0k34.com”. As a result, the computer will be affected by the malicious program Cobalt Strike Beacon. – CERT-UA
Cert-UA has associated this activity, with average confidence, to the GhostWriter group.
GhostWriter is a state-sponsored threat group targeting individuals in Poland, Latvia, and Lithuania. The group has now been linked to UNC1151. The campaign by the threat group started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.