The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.
The agency attributed the campaign to a threat actor it calls UAC-0027.
DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware’s ability to propagate in a worm-like fashion by taking advantage of known security flaws.
The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.
The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.
The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.
“The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive),” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.
The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it’s assessed to be part of Russia’s Federal Security Service (FSB).
SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.
Gamaredon’s ability to spread via USB drives was also documented by Check Point in November 2023, which named the PowerShell-based USB worm LitterDrifter.
“The new SUBTLE-PAWS attack payload can be viewed as an evolution of the attack payloads by the malicious threat actor involved in the [LitterDrifter] campaign,” Kolesnikov, vice president of threat research and data science/AI at Securonix, told The Hacker News.
“For instance, LitterDrifter is vbscript-based. SUBTLE-PAWS is PowerShell. There are also differences in how these payloads work, SUBTLE-PAWS uses a different persistence mechanism, for example.”
“The SUBTLE-PAWS backdoor uses advanced techniques to execute malicious payloads dynamically,” the researchers said.
“They store and retrieve executable PowerShell code from the Windows Registry which can assist in evading traditional file-based detection methods. This approach also aids in maintaining persistence on the infected system, as the malware can initiate itself again after reboots or other interruptions.”