Security authorities in Ukraine have warned the country’s military of attempts to compromise a key situational awareness system, known as Delta.
Built to be compatible with NATO equipment, Delta “is a system for collecting, processing and displaying information about enemy forces, coordinating of defense forces, as well as providing situational awareness,” according to the Ukrainian military.
However, CERT-UA was notified by the Center for Innovations and Development of Defense Technologies over the weekend about a phishing attack targeting the system.
Using a compromised Ministry of Defense email account and phishing messages, the threat actors are trying to persuade recipients they need to ‘update’ Delta in order to use it securely.
The email in question contains a malicious PDF attachment which appears to contain instructions on how to do this, alongside a link to a malicious ZIP archive.
If a recipient clicks on the link, a “certificates_rootca.zip” archive containing the “certificates_rootCA.exe” executable file protected by VMProtect will be downloaded to their computer, CERT-UA said.
“After running the exe file, several DLL files, also protected by VMProtect, and an ‘ais.exe’ file simulating the certificate installation process will be created on the PC,” it added.
“Later, two malicious programs will be launched on the victim's computer: FateGrab, the functionality of which involves stealing files … with their subsequent exfiltration via FTP, and StealDeal, designed, among other things, to steal internet browser data.”
Although VMProtect is legitimate software designed to protect files by containing them in a virtual machine, it is being used here with the purpose of hiding the malicious exe and DLL files from analysis by security tools.
CERT-UA did not attribute the attack, although threat actors tied to the Russian state would be an obvious guess.