Fake antivirus updates used to deploy malware in Ukraine
Ukraine’s Computer Emergency Response Team (CERT-UA) warned that threat actors are using fake Windows antivirus updates to install Cobalt Strike and other malware in Ukraine. The phishing emails, which impersonate Ukrainian government agencies, propose a way to increase network security and advise recipients to download the BitdefenderWindowsUpdatePackage.exe., falsely dubbed a ‘critical security update’.
When executed, the malware downloads and installs a Cobalt Strike beacon. The malware also downloads a Go downloader (dropper.exe), which then decodes and executes a secondary file (java-sdk.exe). This secondary file modifies the registry of the infected system to establish persistence and downloads two additional payloads, the GraphSteel backdoor (microsoft-cortana.exe) and the GrimPlant backdoor (oracle-java.exe).
CERT-UA associates the malicious activity with the UAC-0056 group, also known as ‘Lorec53’, a sophisticated Russian-speaking threat group, with medium confidence.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.