October 28, 2024 at 11:36AM
A Russian espionage group, UNC5812, has been found delivering malware to the Ukrainian military through a Telegram channel called Civil Defense. The mix includes Windows and Android malware, employing tactics to influence perceptions about military recruitment. It aims to compromise devices via deceptive software and manipulation.
**Meeting Takeaways – Oct 28, 2024: Cyber Espionage / Android**
1. **Threat Overview**:
– A suspected Russian hybrid operation identified as UNC5812 is targeting the Ukrainian military with malware through a Telegram channel named Civil Defense.
– The operation involves both Windows and Android malware distribution.
2. **Key Players**:
– Google’s Threat Analysis Group (TAG) and Mandiant are monitoring this operation.
3. **Channel and Website**:
– Civil Defense’s Telegram channel was created on September 10, 2024, and currently has 184 subscribers.
– A corresponding website (civildefense.com[.]ua) was registered on April 24, 2024.
4. **Malware Functionality**:
– The software purports to assist conscripts in tracking military recruiter locations but actually deploys malware when installed on devices with Google Play Protect disabled.
– For Android users, the malware package “com.http.masters” includes a remote access trojan (CraxsRAT), which possesses extensive spying capabilities.
5. **Windows Malware**:
– For Windows systems, users are led to a ZIP file containing a PHP-based malware loader (Pronsis) to distribute SUNSPINNER and a stealer malware called PureStealer.
6. **Influence Operations**:
– UNC5812 is also involved in influence campaigns aimed at weakening support for Ukraine’s military efforts.
7. **C2 Server and User Instructions**:
– The malware displays a manipulated map of military recruitment locations and provides users with guidance on how to disable Google Play Protect.
8. **Background on CraxsRAT**:
– CraxsRAT is known for its advanced spying features and remote control capabilities. Despite previous activity ceasing due to public exposure, development may continue with new methods of delivery.
9. **Website Claims**:
– The Civil Defense website claims to offer software for macOS and iPhones; however, only Windows and Android payloads were found upon review.
10. **Security Implications**:
– This operation exemplifies the use of messaging apps for malware distribution and highlights the ongoing cyber warfare tactics employed by Russia in the context of Ukraine.
These insights underscore the importance of vigilance against cyber threats, particularly in high-stakes geopolitical environments.