Ukraine’s Computer Emergency Response Team (CERT-UA) has uncovered cyber-attacks which use malicious emails with photos of alleged prisoners of war (POWs) from the Kursk direction.
In July 2024, Ukraine launched a series of attacks into the Kursk region of Russia in a move to divert Russian forces and resources away from the main frontlines.
Distribution of Spectr Spyware and Firmachagent Malware
These malicious emails contain a link to a downloadable archive containing a file with the Compiled HTML Help (.chm) extension, a file format primarily used by Microsoft to store help documentation and manuals.
According to CERT-UA, part of the State Special Communications Service of Ukraine (SSSCIP), opening the file installs components of spyware Spectr as well as new malware called Firmachagent.
The latter retrieves the data stolen by Spectr and sends it to a remote management server.
CERT-UA suspects Vermin (aka UAC-0020), a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin, to be responsible for those cyber-attacks.
CERT-UA Mitigation Recommendations
In its security advisory, published on August 19, CERT-UA recommended the following steps to mitigate the threat:
- Restrict users' permissions by removing them from the "Administrators" group to reduce the attack surface
- Apply policies (single-responsibility principle/app locker) to prevent users from launching .chm and powershell.exe files
The Ukrainian authorities also urged anyone who received the malicious email to contact CERT-UA.
Photo credit: artaxerxes_longhand/Shutterstock