Security researchers are warning of a new malware campaign that targets people who support Ukraine in cyber warfare against Russia and are seeking tools to carry out their own cyber attacks against Russian or pro-Russian entities.
According to Cisco Talos, malicious actors are spreading malware disguised a DDoS tool called the “Liberator” produced by a group called disBalancer via Telegram channels associated with various sympathetic groups, such as the IT Army of Ukraine (a group of volunteers from all over the globe who conduct cyber attacks against Russian entities).
While the versions downloaded from the real Liberator website do not appear malicious, the versions distributed through Telegram contain malicious payloads, specifically the Phoenix info-stealer designed to steal a variety of credentials and cryptocurrency-related data, such as wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).
Phoenix, first observed in 2019, was offered for sale in the cybercrime underground as MaaS (malware as a service) for $15/month or $80 for a lifetime subscription. The malware collects information from a variety of sources, including web browsers like Firefox and Chrome and other locations on the filesystem for key pieces of information. The gathered data is then sent to a remote IP address, in this case, a Russian IP. This particular IP address has been distributing info-stealers since at least November 2021.
“Cisco Talos constantly observes actors using any and all means to get their malware installed on systems, and the war in Ukraine is no exception. In this case, we found some cybercriminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet,” the research team cautioned.
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!