The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a new malicious email campaign that is targeting government agencies, enterprises, and military entities.
The agency warns that these emails exploit the integration of popular services like Amazon or Microsoft, using attachments in the form of Remote Desktop Protocol (‘.rdp’) configuration files.
Once these RDP files are executed, threat actors establish a remote connection to compromised hosts, allowing them to steal data and plant malware for future attacks.
This campaign, attributed to a threat actor named UAC-0215, is believed to have started preparations in August 2024 and is expected to expand beyond Ukraine.
Amazon Web Service (AWS) has linked this campaign to the Russian hacking group APT29, clarifying that the goal was to obtain Windows credentials through Microsoft Remote Desktop.
Following the discovery, Amazon seized domains used by APT29 to masquerade as AWS, thwarting the operation. Some of the deceptive domains identified are listed below.
- ca-west-1.mfa-gov[.]cloud
- central-2-aws.ua-aws[.]army
- us-east-2-aws.ua-gov[.]cloud
- and more…
CERT-UA has also warned of a large-scale cyber attack labeled UAC-0218, targeting Ukrainian users by tricking them with phishing emails containing links to harmful RAR archives.
The archive contains a malware named HOMESTEEL designed to exfiltrate sensitive files to an attacker-controlled server.
CERT-UA has also raised an alert about a ClickFix-style campaign that attempts to deceive users into clicking malicious links in emails, leading to the download of a PowerShell script capable of performing unauthorized actions.
The blog post from Bloomberg highlights the systemic targeting of Ukraine’s infrastructure and government by Russia’s military intelligence and Federal Security Service (FSB) between 2017 and 2020.