Recently, a number of cyberattacks targeted the Ukraine Government deploying MicroBackdoor Malware by various threat actors.
Ukraine’s Computer Emergency Response Team (CERT-UA) has confirmed that MicroBackdoor malware was used in a cyber-attack campaign targeting Ukrainian government agencies.
CERT-UA reported that government organisations have been the target of several malicious attacks in a statement made earlier this week on March 7.
Phishing emails containing a file named ‘dovidka.zip’, which contains a contextual help file (Microsoft Compiled HTML Help) named ‘dovidka.chm’, according to intelligence acquired by the agency.
The file included the bait image ‘image.jpg,’ which CERT-UA described as information on the procedure for frequent artillery shelling, as well as the HTA-file ‘file.htm,’ which contained malicious code in VBScript.
When the malicious code is executed, the dropper ‘ignit.vbs’ is launched, which decodes the.NET loader ‘core.dll’, later executing the MicroBackdoor malware.
Pre-planned Cyberattacks
The backdoor and loader, according to CERT-UA, were created in January 2022, before Russia invaded Ukraine.
The malware campaign, according to Mandiant, is comparable to the activities of the UAC-0051 threat group, also known as ‘unc1151,’ which has ties to the Belarussian government.
More information about the attack can be found in the statement from CERT-UA.
On February 24, Russia invaded Ukraine. Since then, a series of cyber-attacks have been launched against irganizations across Ukraine.
A newly identified strain of data-wiping malware has also surfaced in the eastern European country, as previously reported by The Daily Swig.
According to telemetry from information security firm ESET, the Windows-specific data wiper has appeared on “hundreds of machines”
The malware’s date stamps show that it was created two months ago, implying that the attack was planned ahead of time.
Financial organizations and government contractors are among the victims of the malware campaign, according to the Wall Street Journal report.
Other Cyberattacks
At least 30 university websites in Ukraine were also hacked in a targeted attack apparently carried out by threat actors known as the ‘Monday Group,’ which has reportedly publicly backed Russia’s recent actions.
Since the invasion, the threat group, which calls itself ‘the Mx0nday,’ has targeted WordPress-hosted sites more than 100,000 times.