Cybercriminals have been driving down two avenues of low-hanging fruit for harvest. Follow cyber hygiene best practices to avert personal disaster!

In the face of destabilizing geopolitics, the already tumultuous cyber threat landscape has arguably worsened. Bountiful low hanging fruit are ripe for the picking by cybercriminals eager to take advantage of the chaos and confusion.

According to Infoblox cyber researchers, the opportunities have come to fruition in the form of  fraudulent Ukrainian support campaigns mounted by crooks to steal donations; as well as malicious phishing campaigns leveraging the war that mask the keylogging remote access trojan software, Agent Tesla.

According to Dr Renee Burton, Senior Director of Threat Intelligence, Infoblox, who was also a senior research data scientist at the United States Department of Defense: “These cyber scams show that cybercriminals pay attention to the news and are responding lightning fast to take advantage. A number of fake relief sites were activated within a day of the invasion. Several domains were registered in the weeks prior, indicating planning on their part. While cryptocurrency was the preferred donation type, the actors also solicited credit card and bank account contributions. In the Agent Tesla campaign, bad actors are using the crisis to steal user credentials and financial information.”

Ukraine-support fraud

Since the Russian invasion of Ukraine on 24 February, the Infoblox Threat Intelligence Group had observed a marked increase in the number of new Ukraine-related domain names on their recursive DNS resolvers.

Much of this activity was part of a global response to the humanitarian crisis happening in Eastern Europe, and some of this activity consists of new efforts led by previously uncoordinated groups. However, cyber criminals have also seized on the opportunity and created many sites to spoof or imitate genuine support efforts.

Through the use of multiple analytics studies and monitoring of newly set up domains, cyber researchers have found indicators related to activities ranging from malware campaigns to individuals making new efforts to coordinate the delivery of medical supplies to Ukraine. Among the most prevalent threats in this environment are scams to collect cryptocurrency.

In particular, many Ukraine-linked support efforts, both legitimate and fraudulent, are being established as Decentralized Anonymous Organizations (DAOs) that rely on financial transaction records and rules established in a blockchain. On 26 February a Twitter account identifiable with the Ukrainian government had requested cryptocurrency donations, which could have contributed to the flurry of emerging sites offering donations via virtual currency.

In the hours after Russian troops crossed the border with Ukraine, a number of legitimate DAOs were established to protest Russia’s actions and create financial support for Ukraine. Perhaps most notable of these is Ukraine DAO, established by Pussy Riot founder Nadya Tolokonnikova and other activists.

Due to this DAO’s new registration and use of cryptocurrency, many security vendors have falsely concluded that its hosting domain is malicious. Although hosted on a newly registered domain and utilizing cryptocurrency, Ukraine DAO is publicly claimed by the founders and recognized in verified Twitter accounts. InfoBlox has concluded that this domain is not hosting malware or fraudulent content.

The crypto scam from saveukraine[.]xyz

On the other hand, other newly registered domains with seemingly genuine intentions have been found to be spurious, such as saveukraine and adoptaukrainiangirl. Distinguishing between these two scenarios can be difficult even for the most cautious of individuals. The firm has therefore put up a continually updated list of indicators of compromise in GitHub for potential supporters who want to tap into the research.

Malspam drops Agent Tesla

On 1st March 2022, a malspam campaign used messages related to the Ukraine invasion to lure supporters into downloading a ZIP file attachment whose contents could download the Agent Tesla key logger.

When the ZIP file is extracted, an embedded Windows executable will launch and then modify the system to launch it whenever a user signs into the machine. Next, the malware downloads Agent Tesla binary from Discord’s content delivery network (CDN) servers and injects the malicious code into the legitimate Windows process MSBuild.exe via process hollowing—a common technique for evading detection by antivirus software.

Then, Agent Tesla steals account credentials and other sensitive information from the compromised system and sends the stolen data to the bad actors’ designated email accounts.

Agent Tesla is a malware-as-a-service (MaaS) remote access trojan usually distributed via spam or phishing emails, and it has many capabilities for stealing information from a victim’s machine, including the following:

  • logging keystrokes
  • extracting data from the host’s clipboard
  • capturing screens
  • grabbing forms
  • stealing credentials from VPN software

Vulnerabilities and mitigation

In order not to fall victim to cybercriminals when supporting the Ukraine cause, readers are reminded that the standard anti-phishing best practices be observed religiously. Also:

  • Be wary of opening emails from unfamiliar senders, and inspect unexpected attachments before opening them.
  • Agent Tesla can also communicate with its command & control server using a Tor client. Firms should forbid the use of the Tor network if it is not crucial to business operations.
  • Identify and flag API requests to messaging and CDN services such as Discord. Such requests are indicative of unusual user behavior.
  • Do not allow web browsers to save credentials or other sensitive information.