Phishing Campaign Impersonating Ukrainian Government Agencies
A new phishing campaign has been identified impersonating Ukrainian government agencies in an attempt to deliver malicious payloads, as reported by Fortinet FortiGuard Labs researcher Yurren Wan in a recent report.
The campaign utilizes Scalable Vector Graphics (SVG) files in phishing emails to deceive recipients into opening harmful attachments. These SVG files initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. Upon launching the CHM file, a series of events unfold, leading to the deployment of CountLoader. The email messages claim to be notifications from the National Police of Ukraine.
CountLoader, previously analyzed by Silent Push, serves as a distribution vector for Amatera Stealer and PureMiner in this attack chain. Amatera Stealer is a variant of ACRStealer, while PureMiner is a stealthy .NET cryptocurrency miner.
Malware Suite by Threat Actor PureCoder
The malware suite deployed in this campaign includes various payloads such as Cobalt Strike, AdaptixC2, and PureHVNC RAT. These are part of a broader suite developed by threat actor PureCoder, which also includes PureCrypter, PureRAT, PureLogs, BlueLoader, and PureClipper.
According to Fortinet, Amatera Stealer and PureMiner are executed as fileless threats, utilizing .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule.
Stealing Data and Cryptocurrency
Amatera Stealer, once activated, gathers system information, collects files based on predefined extensions, and extracts data from browsers like Chrome and Firefox, as well as applications such as Steam, Telegram, and cryptocurrency wallets.
This phishing campaign highlights the use of SVG files as HTML substitutes to initiate an infection chain. By targeting Ukrainian government entities with emails containing SVG attachments, attackers were able to redirect victims to malicious download sites.
Similar tactics were recently uncovered by Huntress, where a Vietnamese-speaking threat group utilized phishing emails with copyright infringement themes to deploy PXA Stealer and PureRAT in a multi-layered infection sequence.
Escalation of Attacks
Security researcher James Northey noted the progression in these campaigns, starting with simple phishing lures and evolving into layers of defense evasion and credential theft. The final payload, PureRAT, provides attackers with complete control over compromised hosts.
This escalation from basic obfuscation to utilizing advanced malware like PureRAT demonstrates the sophistication and maturation of threat actors involved in these campaigns.