The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new phishing attacks aimed at infecting devices with malware.
The activity has been attributed to a threat cluster tracked as UAC-0020, also known as Vermin. The exact scale and scope of the attacks are currently unknown.
The attack chains begin with phishing messages containing photos of alleged prisoners of war from the Kursk region and asking recipients to click on a link that points to a ZIP archive.
The ZIP file contains a Microsoft Compiled HTML Help (CHM) file that embeds JavaScript code responsible for launching an obfuscated PowerShell script.
“Opening the file installs components of the known spyware SPECTR as well as the new malware called FIRMACHAGENT,” CERT-UA said. “The purpose of FIRMACHAGENT is to retrieve the data stolen by SPECTR and send it to a remote management server.”
SPECTR is a known malware that was linked to Vermin back in 2019. The group is believed to be linked to the security authorities of the Luhansk People’s Republic (LPR).
In early June this year, CERT-UA reported in detail on another campaign orchestrated by Vermin actors called SickSync, which targeted the country’s defense forces using SPECTR.
SPECTR is a fully functional tool for collecting a wide range of information including files, screenshots, login credentials and data from various instant messaging apps such as Element, Signal, Skype and Telegram.
