The Ukrainian government team CERT-UA, operating under the State Service of Special Communications and Information Protection (SSSCIP), has detected new cyberattacks targeting Ukrainian defense enterprises. These attacks leverage the theme of UAV procurement.
"Hackers use various types of malware and may pose as employees of government agencies to gain trust," the Telegram channel reported.
According to SSSCIP, the attackers send an email with a ZIP file attachment containing a PDF document with a link. The recipient is prompted to follow the link to "download missing fonts."
Upon clicking the link, a file named "adobe_acrobat_fonts_pack.exe" is downloaded, which is actually the malicious program GLUEEGG, designed to decrypt and launch the loader DROPCLUE.
DROPCLUE downloads and opens two files on the computer: a decoy PDF file and an EX file "font-pack-pdf-windows-64-bit," which eventually installs the legitimate remote management software ATERA.
As a result, hackers gain unauthorized access to the victim's computer.
"The hostile activity is tracked under the identifier UAC-0180. This group actively targets employees of defense enterprises and the Defense Forces of Ukraine, constantly updating their arsenal of various malware, but their malicious activities are not limited to Ukraine," noted SSSCIP.
