Ukraine’s DELTA military system users targeted by info-stealing malware

Ukraine

A compromised Ukrainian Ministry of Defense email account was found sending phishing emails and instant messages to users of the ‘DELTA’ situational awareness program to infect systems with information-stealing malware.

The campaign was highlighted in a report today by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel of the malware attack.

DELTA is an intelligence collection and management system created by Ukraine with the help of its allies to help the military track the movements of enemy forces.

The system provides comprehensive real-time information with high-level integration from multiple sources on a digital map that can run on any electronic device, from a laptop to a smartphone.

Digital certificates are used for signing software code and authenticating servers, telling security products running on the OS that the application has not been tampered with and that the server operator is who they claim to be.

Infection process

As part of this campaign, threat actors used email or instant messages with fake warnings that users need to update the ‘Delta’ certificates to continue using the system securely.

The malicious email contains a PDF document purportedly with certificate installation instructions, which includes links to download a ZIP archive named “certificates_rootCA.zip.”

Sample of email used in the campaign
Sample of email used in the campaign (CERT-UA)
Landing page from where victims download the ZIP file
Landing page from where victims download the ZIP file (CERT-UA)

The archive contains a digitally signed executable named “certificates_rootCA.exe,” which, upon launch, creates several DLL files on the victim’s system and launches “ais.exe,” which simulates the certificate installation process.

This step convinces the victim that the process was legitimate and reduces the chances of them realizing they have been breached.

Certificate installation dialog
Certificate installation dialog (CERT-UA)

Both the EXE files and the DLLs are protected by VMProtect, a legitimate software that is used for wrapping files in standalone virtualized machines, encrypting their content, and making AV analysis or detection impossible.

The dropped DLLs, “FileInfo.dll” and “procsys.dll,” are malware, identified by CERT-UA as ‘FateGrab’ and ‘StealDeal.’

FateGrab is an FTP file stealer targeting documents and emails of the following file formats: ‘.txt’, ‘.rtf’, ‘.xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘.doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email.’

StealDeal is an information stealer malware that can, among other things, steal internet browsing data and passwords stored on the web browser.

CERT-UA was unable to link the above operation to any known threat actors.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn