CP
cyberpings
Malware & RansomwareHIGH

UAC-0255 - Phishing Campaign Spreads AGEWHEEZE Malware

Featured image for UAC-0255 - Phishing Campaign Spreads AGEWHEEZE Malware
SASecurity Affairs
AGEWHEEZEUAC-0255CERT-UAphishingmalware
🎯

Basically, hackers pretended to be a security agency to trick people into downloading harmful software.

Quick Summary

A phishing campaign impersonating CERT-UA has spread AGEWHEEZE malware, targeting over 1 million users. Victims were tricked into installing a fake security tool. This incident underscores the need for enhanced cybersecurity measures.

What Happened

A new phishing campaign has emerged, led by the threat actor UAC-0255, impersonating the Ukrainian cybersecurity agency CERT-UA. This campaign targeted approximately 1 million users, urging them to download a password-protected archive from Files.fm. Victims were misled into installing what they believed was a legitimate security tool, but it was actually the AGEWHEEZE malware.

Who's Affected

The phishing emails were sent to a wide range of targets, including government organizations, medical centers, security companies, educational institutions, and financial institutions. While the attackers claimed to have infected over 200,000 devices, the actual impact was limited, with only a few devices in educational institutions being compromised.

How It Works

The AGEWHEEZE malware is a multifunctional remote access tool that allows attackers to control infected systems. Once installed, it can execute commands, manage files, capture screens, and even steal clipboard data. The malware maintains persistence by embedding itself in system startup processes and registry entries. It communicates with its command server via WebSockets, making it a potent threat for the affected systems.

Tactics & Techniques

The attackers created a fake website, cert-ua[.]tech, mimicking the real CERT-UA site, to distribute the AGEWHEEZE malware. This site contained links to a Telegram channel claiming responsibility for the attack, further confirming attribution to UAC-0255. The use of a password-protected archive and the guise of a security tool were key tactics in this campaign, showcasing the evolving methods of cybercriminals.

Defensive Measures

Experts from CERT-UA have been actively working to contain the spread of this malware. They emphasize the importance of reducing attack surfaces and utilizing security tools like AppLocker. Organizations are urged to strengthen their defenses against such phishing campaigns and to remain vigilant against suspicious emails.

Conclusion

This incident highlights the increasing sophistication of cyberattacks, particularly those leveraging AI technologies. As attackers become more adept at impersonating trusted entities, it is crucial for users and organizations to stay informed and proactive in their cybersecurity measures.

🔒 Pro insight: The use of AI-generated phishing sites marks a dangerous evolution in social engineering tactics, requiring heightened awareness and proactive defense strategies.

Original article from

SASecurity Affairs· Pierluigi Paganini
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Akira Lookalike Ransomware - New Campaign Targets Windows Users

A new ransomware campaign mimicking Akira is targeting Windows users in South America. This threat employs a Babuk-based encryptor, raising concerns about regional cybersecurity. Victims face file encryption and ransom demands that cleverly imitate Akira's tactics.

Cyber Security News·
HIGHMalware & Ransomware

Akira Ransomware - Achieves Data Encryption in Under an Hour

Akira ransomware can encrypt data in under an hour, posing a significant threat to businesses. Their stealthy tactics and double-extortion model increase the risk of data loss. Organizations need to bolster their defenses to combat this evolving threat.

CyberScoop·
HIGHMalware & Ransomware

Malware - Hackers Clone CERT-UA Site to Install RAT

Hackers have cloned Ukraine's CERT-UA site to distribute a dangerous RAT. Government and medical staff were targeted, raising serious security concerns. Quick action by CERT-UA helped contain the threat.

Cyber Security News·
HIGHMalware & Ransomware

Qilin Ransomware - Disables Major EDR Solutions with DLL

Qilin ransomware is using a malicious DLL to disable major EDR solutions. This sophisticated attack targets organizations' defenses, making them vulnerable to ransomware. Enhanced security measures are crucial to combat this threat.

Cyber Security News·
HIGHMalware & Ransomware

Stryker Back to Operations After Iranian Wiper Attack

Stryker has resumed full operations after a cyberattack by Iranian hackers. The Handala group targeted the company with wiper malware, disrupting critical processes. Stryker is now focused on patient care and system stability while recovering from this incident.

CyberScoop·
HIGHMalware & Ransomware

Boeing RFQ Malware Campaign - Hackers Deploy Six-Stage Attack

A new malware campaign is targeting industrial suppliers with fake Boeing RFQ emails. This sophisticated attack uses multiple file types to evade detection. Organizations need to be aware and take action to protect themselves.

Cyber Security News·