The Kharkiv media outlet Gwara Media received an email from a supposed SBU employee asking them to file a request for information and provide a written response. There was a “Documents.zip” archive attached to the email, chief editor Serhiy Prokopenko told the IMI.
He also said that the team has not formally appealed to the police, but let them know about this.
At the same time, the fact of mass mailing of letters with identical content was recorded by the Ukraine’s State Computer Emergency Response Team (CERT-UA), which the State Special Communications Service cites, recorded identical letters being mass mailed around the same time. Experts at the CERT-UA note that such emails are part of a Russian hacker attack on the mobile operator Kyivstar.
“The CERT-UA recorded letters with the subject ‘Request to the SBU’ and an attached archive ‘Documents.zip’ being mass mailed. The letter contains a password-protected RAR archive ‘Zapyt.rar’ with the executable file ‘Zapyt.exe’. Opening the archive and running the file, as in the previous case, damages the computer with the remote access software RemcosRAT,” the message says.
CERT-UA experts note that the RemcosRAT control servers are located on on the technical site of the Malaysian hosting provider Shinjiru, which is typical for the hacker group UAC-0050, but also within the autonomous system AS44477.
CERT-UA experts once again recommend filtering emails with password-protected attachments (both archives and documents) at the mail gateway level.
This is not the first such attack by the UAC-0050, the SSCS notes. Recently, the cybercriminals have been mass mailing letters about “judicial claims” and “debts”. Users from Ukraine and Poland have been targeted.