Post

Suspected Russian Hackers Deploy CANFAIL Malware Against Ukraine

Posted
By ictsec.pl
1 min read
Suspected Russian Hackers Deploy CANFAIL Malware Against Ukraine

Overview

A new alleged Russia-linked APT group has targeted Ukrainian defense, government, and energy sectors with CANFAIL malware. The Google Threat Intelligence Group has identified a previously undocumented threat actor behind these attacks. This group is possibly linked to Russian intelligence services and has been focusing on defense, military, government, and energy entities at both regional and national levels in Ukraine. 🚀

Phishing Campaigns

GTIG researchers have observed the Russian intelligence conducting phishing campaigns to deliver CANFAIL malware. The actor is also interested in aerospace, drone-linked manufacturers, nuclear research, and humanitarian groups tied to Ukraine. Additionally, Google reported that the APT group has probed Romanian and Moldovan entities.

“GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations,” reads the report published by Google.

Technical Insights

Despite being less sophisticated than other Russian threat groups, this actor has begun to overcome some technical limitations using Large Language Models (LLMs). They conduct reconnaissance, create social engineering lures, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup. The phishing emails sent by the actor appear to be LLM-generated, using formal language and specific official templates, often containing Google Drive links hosting a RAR archive with CANFAIL malware disguised with a .pdf.js double extension. 📧

Ongoing Threats

Russian espionage groups continue to target Ukrainian and Western defense-related organizations using military- and drone-themed lures. For instance, APT44 (Sandworm/FROZENBARENTS), linked to GRU Unit 74455, has sought to extract data from Signal and Telegram, employing tools like WAVESIGN and INFAMOUSCHISEL to steal information from Windows and Android devices.

The report concludes that Russian threat actors have targeted secure messaging applications used by the Ukrainian military to communicate and orchestrate military operations, including attempts to exfiltrate locally stored databases of these apps.

For more detailed insights, check out the full article: Read full article

CYBERSECURITY
RUSSIA UKRAINE MALWARE CYBERSECURITY PHISHING
This post is licensed under CC BY 4.0 by the author.