Ukraine Hit by New Malware Attacks via a Compromised Web Server

Ukraine became the center of a cybersecurity storm after the Petya ransomware outbreak hit parts of Europe in late June. The country served as the ground zero for the attack, which was identified to have initially come from an update to an accounting software package used by many Ukranian companies. A recent attack put Ukraine back in the security spotlight with the discovery of new malware variants (Detected by Trend Micro as Mal_SageCrypt-1h, BKDR_TRICKBOT.SM, JS_DLOADR.AUSUCK and TSPY_EMOTET.SML3)—this time from Crystal Finance Millenium (CFM), another company that creates accounting software for businesses.

According to the initial reports from Information Systems Security Partners (ISSP), CFM’s web servers were compromised by hackers, which they then used to store the malware. The attackers then sent phishing emails that came attached with ZIP files containing JavaScript files. When executed, these JS files would then download the load.exe file from CFM’s compromised web server. This file is responsible for executing the malware used in the attack. Additional data from ISSP indicates that this could just be a smaller part of a larger campaign, as load.exe files were also found on the web servers of other companies.

The researchers also mentioned that this new attack could possibly be timed to coincide with Ukraine’s Independence Day on August 24. The Ukranian Central Bank had already previously warned both state-owned and private lenders of the new malware. State cyber police also mentioned this discovery.

CFM’s web provider has taken down the company’s website to ensure that the malware involved in this incident does not spread further.

This latest incident shows that organizations need to prioritize securing their servers, as it can be used for malicious purposes. By appearing as originating from a seemingly “legitimate” source, the attackers were able to trick the victims into believing the legitimacy of the phishing emails used in the attack. For companies, implementing multi-factor authentication for website credentials, as well as using measures such network segmentation and data categorization can be used to minimize the effects of targeted attacks, while on the endpoint level, a combination of common sense and best practices can help prevent infection.

Trend Micro Solutions

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.

Trend Micro™ Deep Discovery Inspector
is designed to quickly detect advanced malware that typically bypasses traditional security defenses and exfiltrates sensitive data. Using specialized detection engines and custom sandbox analysis, attacks can be detected and prevented.

Trend Micro
™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against malware and other threats. Trend Micro’s security solutions that come with Predictive Machine Learning and all relevant ransomware protection features enabled are already protected against advanced threats.

Our products, such as Deep Discovery also come with The Advanced Threat Scan Engine (ATSE), which uses a combination of pattern-based scanning and heuristic scanning to detect document exploits and other threats used in targeted attacks.

TippingPoint Advanced Threat Protection for Networks, powered by XGen™ security, enables 360-degree detection of network-based targeted attacks and advanced threats. By using specialized detection engines and custom sandbox analysis, TippingPoint Advanced Threat Protection for Networks identifies advanced and unknown malware, ransomware, zero-day exploits, command and control (C&C) communications, lateral movement and evasive attacker activities that are invisible to standard security defenses.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.