Threat Actors Impersonate CERT-UA to Distribute AGEWHEEZE
Basically, hackers pretended to be a security team to trick people into downloading harmful software.
Hackers impersonated CERT-UA to distribute AGEWHEEZE malware via phishing emails. About 1 million users across various sectors are at risk. Strengthening security measures is crucial to combat such threats.
What Happened
Threat actors, identified as UAC-0255, have launched a sophisticated phishing campaign by impersonating the Ukrainian cybersecurity incident response team, CERT-UA. This operation aimed to distribute the AGEWHEEZE remote access tool to a wide range of potential victims.
Who's Being Targeted
The campaign targeted approximately 1 million users across various sectors, including government, healthcare, education, and finance. The attackers sent emails urging recipients to download a password-protected archive from Files.fm, which contained a fake "security tool."
How It Works
Upon installation, this tool deployed AGEWHEEZE, a multifunctional malware capable of:
- Command execution
- File management
- Screen capture
- Ensuring persistence through registry or scheduled tasks
The attackers also created a fake website, cert-ua[.]tech, mimicking the legitimate CERT-UA site to spread the malware further. Evidence suggests that the command server is hosted on OVH infrastructure and contains Russian-language elements, hinting at the attackers' origin.
Signs of Infection
Victims may notice unusual system behavior, unauthorized access to files, or unexpected network activity. If you receive suspicious emails urging software downloads, exercise caution.
How to Protect Yourself
CERT-UA emphasizes the need for organizations to reduce their attack surfaces and strengthen security measures. Recommended actions include:
- Implementing tools like AppLocker
- Enhancing system protections
- Training employees to recognize phishing attempts
By taking these steps, organizations can better defend against similar phishing campaigns in the future.