A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to potentially gather intelligence or commit financial theft, indicating a potential expansion of the threat actor’s targeting beyond Ukraine and into institutions supporting the war-torn nation.
The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cybercrime group that has been tracked as UAC-0050 (aka Davinci Group). BlueVoyant has named the threat group as Mercenary Akula. This attack was seen earlier this month.
“The attack spoofed a Ukrainian jurisdictional domain to deliver emails containing links to a remote access payload,” researchers Patrick McHale and Joshua Greene said in a report shared with The Hacker News. “Involved in the target purchase was a senior legal and policy advisor, a role with privileged insight into institutional operations and financial mechanisms.”
The starting point is a spear-phishing email that uses legal subject lines to direct recipients to download an archive file hosted on PixelDrain, a file-sharing service used by threat actors to bypass reputation-based security controls.
ZIP is responsible for initiating a multistage infection chain. Contained within the zip file is a RAR archive containing a password-protected 7-zip file, which contains an executable that masquerades as a PDF document using the widely abused double extension trick (*.pdf.exe).
The execution results in the deployment of an MSI installer for the Remote Manipulator System (RMS), a Russian remote desktop software that allows remote control, desktop sharing, and file transfer.
“The use of such ‘living-off-the-land’ tools provides attackers with persistent, covert access, while often evading traditional antivirus detection,” the researchers said.
The use of RMS aligns with former UAC-0050 modus operandi, in which threat actors are known to drop legitimate remote access software such as LiteManager and remote access trojans such as REMCOSRAT in attacks targeting Ukraine.
Ukraine’s Computer Emergency Response Team (CERT-UA) has characterized UAC-0050 as a mercenary group associated with Russian law enforcement agencies that conducts data gathering, financial theft, and information and psychological operations under the Fire Cell branding.
“This attack reflects Mercenary Akula’s well-established and repeatable attack profile, while also representing a notable evolution,” BlueVoyant said. “At first, their targeting focused primarily on Ukraine-based entities, particularly accountants and financial officers. However, this incident suggests possible investigation of Ukraine-backed institutions in Western Europe.”
The revelations come as Ukraine revealed that Russian cyberattacks targeting the country’s energy infrastructure have focused on gathering intelligence to guide missile strikes rather than immediately disrupting operations, The Record reports.
Cybersecurity company CrowdStrike said in its annual global threat report that it expects Russia-aligned adversaries to continue aggressive campaigns aimed at Ukrainian targets and gathering intelligence from NATO member states.
This involves efforts by APT29 (aka Cozy Bear and Midnight Blizzard) to “systematically” exploit trust, organizational credibility, and platform legitimacy as part of spear-phishing campaigns targeting US-based non-governmental organizations (NGOs) and US-based legal entities to gain unauthorized access to victims’ Microsoft accounts.
“Cozy Bear successfully compromised or impersonated individuals with whom targeted users maintained trusted professional relationships,” CrowdStrike said. “The impersonated individuals included employees of international NGO branches and pro-Ukraine organizations.”
“The adversary invested heavily in authenticating these impersonations, using legitimate email accounts of compromised individuals with burner communication channels to reinforce authenticity.”
