istock-936338884-2.jpg
Image: solarseven, Getty Images/iStockphoto

As the invasion of Ukraine by Russian forces continues, users who sympathize with the defending country are also under attack. Cisco Talos published findings March 12 detailing a number of malware items being disguised as offensive cyber tools against Russian entities, when in actuality, the virus is designed to infect users who download the software. Cybercriminals are purportedly attempting to exploit unwitting users looking to assist Ukraine in its online defense against an invading Russia. The Vice Prime Minister of Ukraine tweeted February 28 that the country was recruiting cyber specialists as part of an IT army.

“The ongoing situation in Ukraine has quickly changed the cyber threat landscape, introducing an influx of actors of varying skill and a variety of new threats to Cisco customers and users globally,” Cisco Talos said in its blog post. “A variety of these tools are advertised as ways to target Russian or pro-Russian websites and have quickly spread on various social media platforms over the last few days as the interest in crowdsourced attacks grows.”

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

What tools are being used?

Those siding with Ukraine have seen an uptick in the amount of tainted files and malware attacks by Russian forces online, as one tool is advertised as a “Liberator” tool by a group known as disBalancer. Reported by the group to be a tool used in DDoS attacks, the tool in actuality the “Liberator” piece of software is malware that steals information unbeknownst to the user. The malware is typically offered in the form of spam emails offering donations towards the Ukrainian war effort, or refugee support websites.

The disBalancer software in question comes in the form of an executable file, protected by ASProtect, a packing software with protection functions. After performing anti-bug checks of a user’s system, the file will then grab user information from a variety of sources such as web browsers and other areas of the file system. In Cisco Talos’ example, some of the information dumped includes the user’s system build in addition to any cryptocurrency wallets and passwords stored on the device. Once this information is stolen, it is then sent to a Russian IP address and uploaded to a server.

As seen last week, Russia may be focused on obtaining and mixing different forms of cryptocurrency to aid in dodging sanctions placed on the country due to the currency’s lack of regulation. Cybercriminals who are not Russian-affiliated are also looking to obtain access to crypto wallets as well, due to the difficulty of tracking where crypto may be routed to in the event of an attack.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

What can users do to remain secure?

The most obvious answer may be simply not downloading strange files from unreliable sources, no matter what the software is purported to do. DDoS attacks remain illegal to run and even though a user may want to aid Ukraine in its cyber defenses against Russia. While the attempt at stealing information from users by these malicious actors is unfortunate, the consequences of downloading and running questionable software could have even more severe ramifications.

Another suggestion is to invest in quality antivirus software in the event that a compromised link is accidentally accessed by a user. Cisco Talos expects this type of malware to intensify as the war in Ukraine rages on, so it is imperative that users and their devices be prepared in the event of a cyber attack.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday