The Ukraine Computer Emergency Response Team (CERT-UA) has issued a warning regarding the infiltration of over 2,000 computers within the country by the notorious malware strain known as DirtyMoe.
Pinpointing the threat actor behind the campaign as UAC-0027, CERT-UA has highlighted the capabilities of DirtyMoe, which has been active since at least 2016. This malware is proficient in executing cryptojacking and distributed denial-of-service (DDoS) attacks. Notably, cybersecurity firm Avast uncovered the worm-like propagation of DirtyMoe in March 2022, exploiting known security vulnerabilities.
The delivery mechanism for the DDoS botnet involves the utilization of another malware, Purple Fox, or through deceptive MSI installer packages masquerading as popular software like Telegram. Purple Fox is armed with a rootkit, enhancing its ability to conceal itself on infected machines, making detection and removal challenging.
The specific initial access vector employed in the Ukraine-targeted campaign remains undisclosed. CERT-UA recommends organizations to maintain updated systems, implement network segmentation, and monitor network traffic for any unusual activities.
Simultaneously, cybersecurity firm Securonix has revealed details of an ongoing phishing campaign named STEADY#URSA, targeting Ukrainian military personnel. The campaign aims to deploy a customized PowerShell backdoor called SUBTLE-PAWS. The attack involves executing a malicious shortcut (.lnk) file, which then loads and executes the PowerShell backdoor payload code. This campaign is linked to the threat actor Shuckworm, also known as Aqua Blizzard, Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, believed to be affiliated with Russia's Federal Security Service (FSB) since 2013.
SUBTLE-PAWS, aside from establishing persistence on the host, leverages Telegram's Telegraph blogging platform to retrieve command-and-control (C2) information. This technique, identified with the adversary since early 2023, enables SUBTLE-PAWS to propagate through removable drives. Researchers have noted SUBTLE-PAWS as an evolution of the LitterDrifter campaign, showcasing advancements such as its transition from vbscript to PowerShell and employing distinct persistence mechanisms. The backdoor utilizes sophisticated techniques, dynamically executing malicious payloads by storing and retrieving executable PowerShell code from the Windows Registry. This approach facilitates evasion of traditional file-based detection methods and ensures persistence on infected systems even after reboots or interruptions, according to Securonix researchers.