Ukraine’s Computer Emergency Response Team (CERT-UA) has recently warned of a cyber espionage campaign targeting state bodies in the country. The threat actor, identified as UAC-0063 since 2021, is believed to be behind the attack which uses phishing lures to deploy malicious tools on infected systems. The emails, sent from a previously compromised mailbox, are disguised as coming from the Embassy of Tajikistan in Ukraine and come attached with a Microsoft Word document with an encoded VBScript called HATVIBE. This script is used to drop additional malware, such as a keylogger (LOGPIE), a Python-based backdoor (CHERRYSPY), and a tool for exfiltrating specific files (STILLARCH or DownEx). It is worth noting that DownEx has been documented by Bitdefender as being used in highly targeted attacks against government entities in Kazakhstan and Afghanistan. The origins of the hacking crew remain unknown, however, CERT-UA suggests the group is targeting organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Since Microsoft disabled the feature by default in Office files downloaded from the web, some threat actors have started to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling. Proofpoint observed multiple initial access brokers (IABs) using PDF and OneNote files since December 2022, indicating a rapid rate of change for many threat actors. This suggests that they have the capability to rapidly develop and execute new techniques and are no longer relying on one or a few techniques.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.