Kremlin-Backed Malware Targets Ukrainian Military Recruits
Recent findings from Google researchers reveal the emergence of a sophisticated operation allegedly backed by the Kremlin, aimed at targeting individuals considering enlistment in the Ukrainian military. This disturbing campaign utilizes information-stealing malware designed for both Windows and Android platforms, primarily disseminated through Telegram under the guise of benign software offerings.
Operating through a Telegram channel named "Civil Defense," this threat actor has used social engineering tactics to lure potential recruits. Posts in the @civildefense_com_ua channel, along with content hosted on the civildefense[.]com.ua website, falsely advertise free applications intended to help users locate Ukrainian military recruiters. However, these applications instead deliver infostealers capable of extracting sensitive information from the devices of unwitting users. Google has dubbed this threat group UNC5812.
The operation encompasses a dual strategy of espionage and influence, with a stated objective of directing victims to the UNC5812-controlled website, which features various software options for different operating systems. Google researchers note that the control of end-user devices facilitates the infiltration of malware within the victims’ systems. The Android versions of the malicious software deployed social engineering techniques to convince users to disable Google Play Protect—a security feature that scans for potential malware, thereby significantly increasing the risk of infection.
During installation, these applications provided false reassurances regarding the necessity of unusual system permissions—a tactic designed to engender trust. An FAQ section on the website contained a strained justification for the apps being unavailable in the Google Play Store, a move likely aimed at circumventing prevailing security advisories that discourage sideloading applications from unknown sources.
Both the Windows and Android malware components leverage readily available infostealer software. The Android variant mirrors functionality seen in CraxsRat, known for its backdoor capabilities, while the Windows malware employs a customized version of Pronsis Loader, uncovered by Trustwave last month. This loader is utilized to install PureStealer, commercially available for $150 monthly or $699 for a lifetime subscription.
While the Civil Defense website also claims to offer versions for macOS and iOS, no such software was accessible at the time of reporting.
In terms of tactics used in this operation, it is possible that UNC5812 employed various techniques cataloged in the MITRE ATT&CK framework, notably those associated with initial access and persistence. The reliance on social engineering reflects a strategic understanding of psychological manipulation to facilitate malware installation and maintain a foothold on compromised systems. This operation underscores the pressing need for robust cybersecurity measures for potential recruits and their devices, as adversaries increasingly turn to digital means to achieve their objectives.
