Intel Name: Ukrainian language malspam pushes rms-based malware
Date of Scan: October 3, 2024
Impact: High
Summary: Initial phishing attempts involved Ukrainian-language emails sent on October 1, 2024, themed around “payment orders,” with a common attached PDF. Three examples were found on VirusTotal; two targeted .gov.ua recipients and one was sent to a US-based university. The spoofed PDF mimicked Ukraine’s PrivatBank and included a Bitbucket link to a now-defunct repository hosting a malicious 7-zip file. Inside, the 7-zip contained a zip file with a password-protected RAR file and a text file providing the password. The RAR file ultimately held a Windows EXE for RMS-based malware, which is a freely available remote desktop management tool from TektonIT
