Turla, a Russian APT group has been spotted deploying their first Android malware disguised as a DDoS tool against Russia. The malicious app is hosted on cyberazov.com, a domain impersonating the Ukrainian Azov regiment and was spotted by Google’s Threat Analysis Group (TAG).
The Android app, claiming to attack Russian internet infrastructure, is still available at the aforementioned domain as an APK download. The app just sends one GET request to the target website, not nearly enough to damage a site’s internet infrastructure.
TAG analysts believe that Turla operators used the StopWar app, developed by pro-Ukrainian developers, as inspiration when creating this fake version. This is the first known instance of Turla distributing Android malware, although TAG believes there was no major impact on Android users and the app’s total downloads are rather minuscule.
In the News: New Google Wallet is here to replace Google Pay
Financially motivated threat actors moving against Ukraine
TAG also noted that it has seen an increasing number of financially motivated actors targeting the war-torn country. The Follina vulnerability, first disclosed in May, is also being actively exploited by both APT and cybercrime groups throughout June following a patch released by Microsoft.
The researchers also observed multiple Russian GRU actors, APT28 and Sandworm, running campaigns that exploit the Follina vulnerability that uses compromised government accounts to send links to malicious Office documents hosted on compromised domains targeting media organisations in Ukraine,
Another campaign from a threat group tracked by CERT-UA as UAC-0098 sent malicious documents laced with the Follina exploit in password-protecting archives impersonating the State Tax Service of Ukraine. Ghostwriter (also known as UNC1151), a Belarusian threat actor, has been actively targeting Polish webmail and social media networks using the ‘Browser in the Browser’ phishing method first noted by TAG in March.
Another Russian threat actor, Coldriver, known to have leaked sensitive information from a compromised account in a case unrelated to Ukraine, has been sending credential phishing emails to targets, including government and defence officials, politicians, NGOs and think tanks, and journalists. Coldriver is also targeting users by sending them links to PDFs or documents hosted on Google Drive and Microsoft OneDrive containing links to an attacker-controlled phishing domain.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.