Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,364
Poland says a state-backed threat group linked to Russia's military intelligence service (GRU) has been targeting Polish government institutions throughout the week.
According to evidence found by CSIRT MON, the country's Computer Security Incident Response Team (led by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency response team), Russian APT28 state hackers attacked multiple government institutions in a large-scale phishing campaign.
The phishing emails tried tricking the recipients into clicking an embedded link that would provide them with access to more information regarding a "mysterious Ukrainian woman" selling "used underwear" to "senior authorities in Poland and Ukraine."
Once clicked, the link redirected them through multiple websites before landing on a page that downloaded a ZIP archive. The archive contained a malicious executable disguised as a JPG image file and two hidden files: a DLL and a .BAT script.
If the target opens the camouflaged executable file, it loads the DLL via DLL side loading, which runs the hidden script. The script displays a photo of a woman in a swimsuit in the Microsoft Edge browser as a distraction while simultaneously downloading a CMD file and changing its extension to JPG.
"The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts," CERT Polska said.
Poland says Russian military hackers target its govt networks
Poland says a state-backed threat group linked to Russia's military intelligence service (GRU) has been targeting Polish government institutions throughout the week.
www.bleepingcomputer.com