🎯Basically, a new malware called AgingFly is stealing passwords from government and hospital computers in Ukraine.
What Happened
A new malware family named AgingFly has been identified in cyberattacks targeting local governments and hospitals in Ukraine. This malware is designed to steal authentication data from Chromium-based browsers and the WhatsApp messenger. The attacks were detected by Ukraine's CERT-UA last month, with indications that representatives of the Defense Forces may also be at risk.
Attack Chain
The attack typically begins with the target receiving an email that claims to offer humanitarian aid. This email contains a link that redirects the victim to a compromised legitimate site or a fake site created with AI tools. Once the victim clicks the link, they receive an archive containing a shortcut file (LNK) that triggers an HTA handler. This handler connects to a remote resource to download and execute additional payloads. The attackers employ a two-stage loader to deliver the AgingFly malware, which establishes a TCP reverse shell connection with the command and control (C2) server.
How It Works
AgingFly is a C# malware that provides attackers with extensive remote control capabilities, including command execution, file exfiltration, and keylogging. It communicates with its C2 server using WebSockets, encrypting the traffic with AES-CBC. A unique feature of AgingFly is that it does not include built-in command handlers; instead, it compiles them on the host from source code received from the C2 server. This method allows for a smaller initial payload and the ability to adapt its capabilities dynamically, although it increases the risk of detection.
Who's Being Targeted
The primary targets of AgingFly include local government officials and hospital staff in Ukraine. The malware has been specifically designed to extract sensitive information from Chromium-based browsers and the WhatsApp application for Windows, making it particularly dangerous for users of these platforms.
Signs of Infection
Indicators of an AgingFly infection may include unusual network activity, unexpected emails from unknown sources, and the presence of suspicious files such as LNK or HTA files on affected systems. Users should be vigilant for signs of unauthorized access or data breaches.
How to Protect Yourself
CERT-UA recommends several measures to mitigate the risk of AgingFly infections: By taking these precautions, organizations can better protect themselves against the threats posed by AgingFly and similar malware.
Detection
- 1.Block the launch of LNK, HTA, and JS files to disrupt the attack chain.
- 2.Educate users about the dangers of clicking on unknown links in emails.
Removal
- 3.Implement robust security measures, including regular updates and patches for software vulnerabilities.
- 4.Monitor network traffic for unusual patterns that may indicate malware activity.
🔒 Pro insight: The dynamic compilation of command handlers in AgingFly may complicate detection, making traditional security measures less effective.
