In mid-March 2022, at least three different APT groups from around the world launched targeted phishing campaigns, taking advantage of the military conflict on the territory of Ukraine as bait to spread malware and steal confidential information.
The campaigns carried out by the El Machete, Lyceum and SideWinder groups target various sectors, including the energy, financial and public sectors in Nicaragua, Venezuela, Israel, Saudi Arabia and Pakistan.
Attackers use decoys in the form of official-looking documents, news articles, or even job ads, depending on the goals and region. According to information security experts from Check Point Research, many decoy documents use malicious macros or the introduction of templates in order to gain a foothold on systems in certain organizations, and then launch malicious attacks and install a Trojan for remote access with open source Loki.Rat.
One of the campaigns is organized by the Iranian APT group Lyceum. Hackers used emails allegedly telling about “Russian war crimes in Ukraine” during their attacks. The emails actually install language loaders on the victim ‘s system .NET and Golang, which are then used to deploy a backdoor from a remote server.
Another example is SideWinder, supposedly acting in support of India’s political interests. In this case, cybercriminals used a malicious document to exploit the Equation Editor vulnerability in Microsoft Office (CVE-2017-11882) and further spread malware to steal information.