Sandworm-linked hackers target users of Ukraine’s military app in new spying campaign

Category	Details
Threat Actors	Sandworm (linked to Russian military intelligence, GRU), UAC-0125, APT44
Campaign Overview	Espionage campaign targeting Ukrainian soldiers with fraudulent websites mimicking the Army+ app to deliver malware. Attack involves data exfiltration and system compromise.
Target Regions (Victims)	Ukraine, Ukrainian military personnel
Methodology	Creation of fake websites, delivering malware through an executable disguised as an app installer, using Cloudflare Workers to host malicious sites.
Product Targeted	Ukrainian military app Army+, messaging apps used by Ukrainian armed forces (e.g., Telegram, Signal), devices captured on the battlefield
Malware Reference	NSIS-based installer, malicious program grants hidden access, exfiltrates data over Tor network
Tools Used	NSIS (Nullsoft Scriptable Install System), Tor network, Cloudflare Workers
Vulnerabilities Exploited	Exploitation of legitimate services (Cloudflare Workers) for hosting fraudulent sites.
TTPs	Phishing (fake websites), malware delivery disguised as legitimate app, data exfiltration via Tor, leveraging legitimate services for obfuscation
Attribution	Highly likely linked to Sandworm (APT44), a Russian state-sponsored threat actor, possibly associated with GRU.
Recommendations	Enhanced awareness and detection for phishing attacks, secure app development, and greater scrutiny of apps used by military personnel.
Source	The Record

Read full article: https://therecord.media/ukraine-military-app-espionage-russia-sandworm

The above summary has been generated by an AI language model