1. NEW WAVE OF ATTACKS IN
UKRAINE
Marina Krotofil based on materials from Aleksey Yasinskiy
2. Short description
Similarly to last year, the wave of attacks has started in month of July
• It is hot and everybody is in careless summer mood
• Embedded macros
• Many people are on vacation and those who are not -> performing duties of those
who are on vacation (and open aaaaall the attachments)
The attacks grew in sophistication (in comparison to 2015)
• New added routines to detect installed security protections on the infected
machine
• Improved obfuscation techniques
Similarly to last year, there is a “silence” period
• Several C&C center went off line
• Now immediate destructive attacks
A new wave of destructive attacks is awaited
3. New wave of infection via spear fishing
July 14, 2016
Angry customer is
complaining about financial
spam (scam). He received an
email from a Diamantbank
stating that he took a large
credit but did not start paying
for it. He now awes bank a
large sum of money and is
threatened with legal actions
against him.
Also the customer
understand it was a scam, he
OPENED the attachment (and
got infected)
4. Discussions on motherhood portals
July 14, 2016
Mothers discussing receiving
similar financial spam
(scam). Although do realize it
was spam, they all opened
attachment first.
11. Afterword
There is a version that Ukraine is used among other countries as a playgroud for
testing new attach strategies and techniques
• The purpose of the infection is currently still unclear
• Malware is becoming more intelligent and more aware of its environment
• About 1 month after infection it is very hard to detect malware on the infected machine
For more information about attacks in Ukraine see
• Analysis of embedded macros: https://socprime.com/en/blog/infrastructure-infiltration-via-rtf/
• Analysis of other malicious activities: https://socprime.com/en/blog/
Aleksey Yasinskiy: Head of ISSP Labs & Research Center
@Aleksey_yas; https://
Marina Krotofil: Lead Security Researcher at Honeywell Industrial Cyber Security Lab
@marmusha
Opinions are our own