Hackers are mailing out a malicious link, posing as the SSCS – CERT-UA

Since November 7, the government's Computer Emergency Response Team of Ukraine (CERT-UA) has been recording emails with a malicious link, purportedly sent by the State Special Communications Service. This was reported by the CERT-UA press service.

The cyber attack is attributed to the UAC-0010 (Armageddon) group.

Clicking the link will download an HTML file with a JavaScript code that will create a RAR archive on the victim's computer, such as “08.11.2022.rar”.

The archive contains a shortcut file "TIP tools containing an expert opinion on compliance with technical information protection requirements.lnk"; opening the file will download and launch an HTA file. This, in turn, will cause a scheduled task to be created and a VBScript code to be run.

Finally, CERT-UA notes, other malicious software, namely for file theft, will be downloaded to the computer.

Emails are being sent through the @mail.gov.ua service. Moreover, as was the case before, the criminals are either using a third-party service (cloudflare-dns[.]com) or Telegram to determine the management server's IP address, CERT-UA notes.