← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious RDP Files Identified in Latest Attack on Ukrainian Entities
WHITE APT29 AlienVault 2024-10-26 Modified: 2024-10-28
8
IOCs
LOW VOLUME
CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29, the operation exploits popular services like Amazon and Microsoft. Infrastructure preparation began in August 2024, with potential to spread beyond Ukraine. Amazon has seized impersonating domains to neutralize the threat. CERT-UA also warned of other attacks, including a large-scale operation stealing confidential information (UAC-0218) and a ClickFix-style campaign possibly linked to APT28.
uac-0218phishingukraineuac-0215rdpdomain seizurehomesteelapt28cert-uaaws
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
HOMESTEEL
Indicators of Compromise (8)
All domain hostname
TYPEINDICATORDESCRIPTIONCREATED
domain aws-s3.cloud 2024-10-26
domain s3-aws.cloud 2024-10-26
domain s3-fbi.cloud 2024-10-26
domain s3-nsa.cloud 2024-10-26
domain s3-proofpoint.cloud 2024-10-26
hostname ca-west-1.mfa-gov.cloud 2024-10-26
hostname central-2-aws.ua-aws.army 2024-10-26
hostname us-east-2-aws.ua-gov.cloud 2024-10-26
References (1)
↗ https://thehackernews.com/2024/10/cert-ua-identifies-malicious-rdp-files.html