Ukrainian Media Face New Wave of Cyberattacks

The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has reported a new series of cyberattacks targeting Ukrainian media outlets. According to CERT-UA, attackers are distributing emails with the subject line “Primary Legal Aid” and an attachment named “Algorithm of Actions for Family Members of Missing Servicemen LegalAid.rar,” which is password-protected.

Experts say these emails are being sent from compromised email addresses within the gov.ua domain. The RAR archive contains a document titled “Algorithm_LegalAid.xlsm” that appears to provide legal information. However, when the file is opened, a macro is activated that runs a PowerShell command, which in turn deploys and launches a .NET loader called “MSCommondll.exe.” This loader installs and runs the DarkCrystal RAT trojan—a hacking tool that gives attackers extensive access to the infected system. Capabilities include keylogging, launching DDoS attacks, executing commands, taking screenshots, and stealing data from the clipboard, Telegram, and web browsers.

“Based on the email addresses of the recipients and the command-and-control domain for DarkCrystal RAT, we believe the attack is aimed at Ukrainian telecommunications operators and providers. In a previous attack on June 10, 2022, the targets were Ukrainian media organizations,” CERT-UA concluded.