Ukraine’s Computer Emergency Response Team (CERT) has issued a warning about a malicious campaign that is distributing fake Windows updates via emails. These fake emails are clearly malicious and are targeting Ukrainian authorities. CERT notes that threat actors are using the outlook.com domain to appear legitimate and that the subject of these mails is usually labeled “Windows Update” as a way to keep things simple. CERT added that the campaign is being carried out by the APT28 group, which is classified as an Advanced Persistent Threat malware group from Russia. It is also known by other names like Fancy Bear, Pawn Storm, among others.
On its bulletin, CERT explains (translated to English from Google):
During April 2023, the official Computer Emergency Response Team of Ukraine CERT-UA recorded cases of distribution of e-mails with the subject “Windows Update” in Ukrainian government institutions, apparently sent by departmental system administrators. At the same time, email addresses for senders on the public service “@outlook.com” can be created using the employee’s real name and initials.
If you’re wondering how threat actors are delivering the payload, CERT explains that a spoofed email basically outlines the instructions necessary for a successful attack. Images are provided (See here) to help victims install malware on their own systems. This is done using a powershell command that further downloads a script designed to collect basic information about the computer using the “tasklist”, ‘systeminfo’ commands, and The received results are to be sent to the Mocky service API using an HTTP request.” The campaign seems to rely mainly on the naivety of potential victims to infect their systems.
You can see the official announcement of CERT. Here.