With everyone’s attention turned to Ukraine, it was inevitable that this source of disquiet would be used by attackers as the subject of a phishing lure. A news report earlier this month showed that the European government personnel responsible for assisting refugees fleeing from Ukraine were likely targeted by a threat group called Ghostwriter – also known as TA445 or UNC1151 – who have previously been identified as working in the interests of Belarus.
Researchers discovered that an email, originating from a UKR[.]net email address, was sent to a European government entity containing a malicious Excel® document. UKR.net is a popular Ukrainian ISP and email provider, primarily used for personal email account creation. The email had the following subject line: “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.”
Researchers also theorize that the sender’s email account might belong to a member of the Ukrainian military, and was potentially compromised in a prior phishing campaign targeting Ukrainian soldiers and civilians.
Read more about SunSeed malware in our Research Team’s new blog, here:
Credit: YouTube/BlackBerry