Summary: Hackers have targeted Ukraine’s draft-aged men using MeduzaStealer malware, distributed via a Telegram account posing as customer support for the government app Reserve+. This malware aims to steal sensitive personal data from users, highlighting the ongoing cyber threats faced by Ukraine amidst the conflict.
Threat Actor: UAC-0050 | UAC-0050
Victim: Ukrainian draft-aged men | Ukrainian draft-aged men
Key Point :
- MeduzaStealer malware was spread through a Telegram account disguised as a technical support bot for the Reserve+ app.
- The malware is designed to steal sensitive documents and personal data from infected devices before self-deleting.
- Over 4.5 million Ukrainians have used the Reserve+ app, making it a prime target for cyber attacks.
- Previous attacks have involved the use of popular messaging apps like Signal and Telegram to target Ukrainian military personnel.
Hackers have targeted the devices of Ukraine’s draft-aged men with MeduzaStealer malware spread through Telegram, researchers have found.
MeduzaStealer was previously used by Russia-linked threat actors to obtain login credentials, computer information, browsing history and data from password managers. Last year, a threat actor known as UAC-0050 deployed the malware against targets in Ukraine and Poland.
According to a new report from Ukraine’s computer emergency response team (CERT-UA), the unidentified hackers recently distributed MeduzaStealer through a Telegram account disguised as a technical support bot for users of the new Ukrainian government app called Reserve+.
Launched earlier this year, the app allows Ukrainian men liable for military service to update their personal data online instead of going to local enlistment offices. Given the sensitivity of the data the app collects, it has become an attractive target for hackers.
In the campaign analyzed by CERT-UA, the hackers posed as Reserve+ customer support and asked users to upload a ZIP archive containing alleged instructions on how to correctly update the personal data required by Ukraine’s military officials.
Once opened, the malicious file infected targeted devices with MeduzaStealer, designed to pilfer documents with certain extensions before self-deleting.
CERT-UA’s report did not mention how many Ukrainians have fallen victim to the attack or how the hackers might use the data they obtain. As of July, over 4.5 million Ukrainians used Reserve+ to update their personal data.
Earlier in August, the Ukrainian Defense Ministry reported the discovery of three fake Reserve+ apps, likely designed to collect the personal data of Ukrainian conscripts and later use it for new attacks or information and psychological operations.
Russia-linked hackers have previously abused popular mobile apps and messengers, including Signal and Telegram, to target Ukraine’s military personnel.
In September, for example, the hackers used Signal to infect devices used by Ukrainian soldiers with malware delivered through files disguised as military software. According to CERT-UA, the goal of those attacks was to steal credentials for special military systems and identify the soldiers’ locations.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/hackers-target-ukraine-draftees-meduzastealer-malware-telegram