The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed that a threat actor it tracks as UAC-0125 is leveraging Cloudflare Workers service to trick military personnel in the country into downloading malware disguised as Army+, a mobile app that was introduced by the Ministry of Defence back in August 2024 in an effort to make the armed forces go paperless.
Users who visit the fake Cloudflare Workers websites are prompted to download a Windows executable of Army+, which is created using Nullsoft Scriptable Install System (NSIS), an open-source tool used to create installers for the operating system.
Opening the binary displays a decoy file to be launched, while also executing a PowerShell script that’s designed to install OpenSSH on the infected host, generate a pair of RSA cryptographic keys, add the public key to the “authorized_keys” file, and transmit the private key to an attacker-controlled server using the TOR anonymity network.
The end goal of the attack is to allow the adversary to gain remote access to the victim’s machine, CERT-UA said. It’s currently not known how these links are propagated.
The agency further noted that UAC-0125 is associated with another cluster called UAC-0002, which is better known as APT44, FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, an advanced persistent threat (APT) group with ties to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Earlier this month, Fortra revealed it has observed a “rising trend in legitimate service abuse,” with bad actors making use of Cloudflare Workers and Pages to host bogus Microsoft 365 login and human verification pages to steal users’ credentials.
The company said it has witnessed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024. Likewise, phishing attacks utilizing Cloudflare Workers have surged by 104%, climbing from 2,447 incidents in 2023 to 4,999 incidents to date.
The development comes as the European Council imposed sanctions against 16 individuals and three entities that it said were responsible for “Russia’s destabilizing actions abroad.”
This includes GRU Unit 29155, for its involvement in foreign assassinations, bombings, and cyber attacks across Europe, Groupe Panafricain pour le Commerce et l’Investissement, a disinformation network carrying out pro-Russian covert influence operations in the Central African Republic and Burkina Faso, and African Initiative, a news agency that amplified Russian propaganda and disinformation in Africa.
The sanctions also target Doppelganger, a Russia-led disinformation network known for disseminating narratives and in support of the Russian war of aggression against Ukraine, manipulate public opinion against the country, and erode Western support.
To that end, Sofia Zakharova, the department head in the Office of the President of the Russian Federation for the Development of Information and Communication Technologies and Communications Infrastructure, and Nikolai Tupikin, head and founder of GK Struktura (aka Company Group Structura), have been subjected to asset freezes and travel bans.
Tupikin was also sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) back in March 2024 for engaging in foreign malign influence campaigns.