AgingFly Malware Targets Ukraine's Government and Hospitals

Severity: High (Score: 75.5)

Sources: Bleepingcomputer

Summary

The new AgingFly malware has been detected in cyberattacks against local governments and hospitals in Ukraine, primarily aimed at stealing authentication data from Chromium-based browsers and WhatsApp. The attacks, attributed to the UAC-0247 cyber threat cluster by CERT-UA, began with phishing emails disguised as humanitarian aid offers. These emails contained links to compromised sites or AI-generated fake sites, leading to the download of malicious payloads. The malware employs a two-stage loader and utilizes tools like ChromElevator and ZAPiDESK to extract sensitive information. It also engages in lateral movement within networks using various utilities. The malware is designed in C# and features capabilities such as remote control, keylogging, and file exfiltration. The ongoing investigation has revealed multiple incidents, with the threat actor actively targeting sensitive data from Ukrainian officials and military representatives. Key Points: • AgingFly malware targets Ukrainian government and hospital systems. • Attacks initiated via phishing emails with links to compromised or fake sites. • Malware employs advanced techniques for data extraction and lateral movement.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Cross-site Scripting (attack_type)
• Ukraine (country)
• AgingFly (malware)
• Ravenshell (malware)
• Chisel (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053.005 - Scheduled Task (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• Brave (platform)
• Telegram (platform)
• WhatsApp (platform)
• Windows (platform)
• Google Chrome (tool)
• ChromElevator (tool)
• Ligolo-ng (tool)
• PowerShell (tool)
• RustScan (tool)