Bitdefender Labs is seeing increased malware shipments and online scams related to the Ukraine war. Remote access Trojans in attachments end up in manufacturing companies. 42% of the Ukraine variant of the “Nigerian Prince” scam ended up in German mailboxes.
Cyberwar is a dominant IT aspect of the current conflict. Spam free riders are currently sending their emails outside of the countries directly involved. The more violent the clashes in Ukraine, the higher the number of online fraud or malware dispatches via e-mails. The perfidious goal of the criminals: They want to take advantage of the humanitarian crisis and the general willingness to help people.
Agent Tesla Remote Access Trojan
Bitdefender Labs has observed several email campaigns over the past few days, some of which are aimed at companies and also end up in German mailboxes. Hackers attack companies in the manufacturing industry with Agent Tesla. This is a so-called "Malware-as-a-Service-Remote-Access-Trojan (MaaS RAT). It steals data and was used by hackers for numerous email campaigns, especially during the pandemic.
The spam emails attempt to distribute the malicious tool via a ZIP attachment called "REQ Supplier Survey". According to Mail, the recipients are to provide information about their backup plans in view of the Ukraine war in a study. The malicious payload is downloaded and deployed directly onto the victim's system from a Discord link. To distract users, a secure Chrome version is also downloaded.
86 percent of the emails have a Dutch IP address. The attackers send them worldwide: Most frequently with 23% to South Korea and with 14% to the Czech Republic. Germany is in 3rd place with Great Britain with 10% each.
Malware campaign Remcos RAT
Spam mail with Agent Tesla Remote Access Trojan (Image: Bitdefender).
Bitdefender experts have been monitoring another malware spam campaign since March 2nd. Here, the attackers pose as a South Korean specialist in analytical equipment for in-vitro diagnostics. They spread the Remcos RAT malware via an Excel spreadsheet attached (SUCT220002). In this way, cybercriminals can gain full control over the attacked systems via infected documents or archives. Remco's RAT records keystrokes, screenshots, access data or other sensitive system information and exfiltrates them to the originators' servers.
According to the IP address, 89% of the emails come from Germany and 19% from the USA. In addition to Ireland (32%), India (17%) and the USA (7%), the recipient countries are Great Britain, Germany and Vietnam, each with 4% of the recipients.
Fraudulent fundraising
In fraudulent emails, scammers pretend to belong to the Ukrainian government or organizations such as Act for Peace, UNICEF and the Ukraine Crisis Relief Fund. They then use different subject lines to ask for monetary donations to the Ukrainian army or for help for the civilian population in the war zone. 7% of emails with the subject “Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum and USDT” have so far ended up with German recipients – 25% in Great Britain, 14% in the USA, 10% in South Korea, 8% in Japan, 4% in Romania and 2% each in Greece, Finland and Italy.
The Nigerian prince is back
Fraudsters are picking up on this well-known cyber scam motif and spreading it, especially in Germany: a businessman from the Ukraine is allegedly asking for help in transferring ten million US dollars until he can safely deposit it himself again. If the victim makes contact, the attackers will probably ask for personal information, promise a reward and ask for money – for example to pay bank fees. Then the victims never see the money again.
The IP addresses of the senders are 83% in Botswana, 10% in Germany and 5% in France. The addressees live primarily in Germany (42%), followed by Turkey (16%), the United States of America (16%), Ireland (8%) and Poland (3%).
With this wave of email scams disguised as emotional appeals, users should exercise standard due diligence when dealing with unexpected emails right now.
These include:
- No clicking on links or attachments asking for an urgent donation
- Donations only through official and recognized organizations
- Regular checking of bank accounts for suspicious activity
- Own passwords for all online user accounts
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de