430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Pro-Russia group Vermin targets Ukraine with a new malware family

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of new phishing attacks, carried out by the Vermin group, distributing a malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign conducted by the Vermin group that distributed malware. Vermin is a pro-Russian hacker group, also tracked as UAC-0020, that operates under […]

vermin APT CERT-UA

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of new phishing attacks, carried out by the Vermin group, distributing a malware.

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign conducted by the Vermin group that distributed malware.

Vermin is a pro-Russian hacker group, also tracked as UAC-0020, that operates under the control of the law enforcement agencies of the temporarily occupied Luhansk.

The threat actor is using lures related to Ukraine’s offensive across the border.

The phishing messages include images of alleged prisoners of war from the Kursk region, the content is crafted to trick the recipients into clicking on a link pointing to a ZIP archive (“spysok_kursk.zi”).

vermin APT CERT-UA

The ZIP archive contains a Microsoft Compiled HTML Help (CHM) file that includes a JavaScript code that executes an obfuscated PowerShell script.

The Vermin group attempted to deploy two malicious codes in this campaign, the previously known Spectr spyware, and a new malware family dubbed Firmachagent. In June 2024, Ukraine CERT-UA warned of cyber attacks targeting defense forces with SPECTR malware as part of another cyber espionage campaign dubbed SickSync.

“The PowerShell code is designed to download components of the SPECTR malware (which steals documents, screenshots, browser data, etc.) and a new program called FIRMACHAGENT (“chrome_updater.dll,” primarily tasked with uploading stolen data to a command server).” reads the report published by CERT-UA. “It also creates scheduled tasks to run the orchestrator “IDCLIPNET_x86.dll” (which manages SPECTR plugins) and FIRMACHAGENT.”

CERT-UA recommends reducing the likelihood of this cyber threat by minimizing the attack surface. This can be done by restricting user account privileges (removing them from the “Administrators” group) and implementing policies like SRP/AppLocker to prevent users from executing .CHM files and powershell.exe.

CERT-UA’s report also includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vermin)