Increased malware shipments and online scams related to the Ukraine war

Increased malware shipments and online scams related to the Ukraine war

Cyberwar is a dominant IT aspect of the current conflict. Spam free riders are currently sending their emails outside of the countries directly involved. The more violent the clashes in Ukraine, the higher the number of online fraud or malware dispatches via e-mails. The perfidious goal of the criminals: They want to take advantage of the humanitarian crisis and the general willingness to help people.

Bitdefender Labs has observed several email campaigns over the past few days, some of which are aimed at companies and also end up in German mailboxes.

Campaign 1: Agent Tesla Remote Access Trojan

Hackers attack companies in the manufacturing industry with Agent Tesla. This is a so-called “Malware-as-a-Service-Remote-Access-Trojan (MaaS RAT). It steals data and has been used by hackers for numerous email campaigns, especially during the pandemic.

The spam emails attempt to distribute the malicious tool via a ZIP attachment called “REQ Supplier Survey”. According to the Mail, the recipients are to provide information about their backup plans in view of the Ukraine war in a study. The malicious payload is downloaded and deployed directly onto the victim’s system from a Discord link. To distract users, a secure Chrome version is also downloaded.

86 percent of the emails have a Dutch IP address. The attackers send them worldwide: most frequently with 23% to South Korea and with 14% to the Czech Republic. Germany is in 3rd place with Great Britain with 10% each.

Campaign 2: Remco’s RAT

Bitdefender experts have been monitoring another malware spam campaign since March 2nd. Here, the attackers pose as a South Korean specialist in analytical equipment for in-vitro diagnostics. They spread the Remcos RAT malware via an Excel spreadsheet attached (SUCT220002). In this way, cybercriminals can gain full control over the attacked systems via infected documents or archives. Remco’s RAT records keystrokes, screenshots, access data or other sensitive system information and exfiltrates them to the originators’ servers.

According to the IP address, 89% of the emails come from Germany and 19% from the USA. In addition to Ireland (32%), India (17%) and the USA (7%), the recipient countries are Great Britain, Germany and Vietnam, each with 4% of the recipients.

Fraudulent fundraising

In fraudulent emails, scammers pretend to belong to the Ukrainian government or organizations such as Act for Peace, UNICEF and the Ukraine Crisis Relief Fund. They then ask for monetary donations for the Ukrainian army or for help for the civilian population in the war zone under different subject lines. 7% of emails with the subject “Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum and USDT” have so far ended up with German recipients – 25% in Great Britain, 14% in the USA, 10% in South Korea, 8% in Japan, 4% in Romania and 2% each in Greece, Finland and Italy.

The Nigerian prince is back

Fraudsters are picking up on this well-known cyber scam motif and spreading it, especially in Germany: a businessman from the Ukraine is allegedly asking for help in transferring ten million US dollars until he can safely deposit it himself again. If the victim makes contact, the attackers will probably ask for personal information, promise a reward and ask for money – for example to pay bank fees. Then the victims never see the money again.

The IP addresses of the senders are 83% in Botswana, 10% in Germany and 5% in France. The addressees live primarily in Germany (42%), followed by Turkey (16%), the United States of America (16%), Ireland (8%) and Poland (3%).

With this wave of email scams disguised as emotional appeals, users should exercise standard due diligence when dealing with unexpected emails right now.

This includes:

• No clicking on links or attachments asking for an urgent donation
• Donations only through official and recognized organizations
• Regular checking of bank accounts for suspicious activity
• Own passwords for all online user accounts

Simulation-based Digital Twins - Previous post Simulation-based Digital Twins
Recent achievements of technology - Next post Recent achievements of technology