Ukrainian IT Army Hijacked by Info-stealing Malware

Security researchers are urging pro-Ukrainian actors to be wary of downloading DDoS tools to attack Russia, as they may be booby-trapped with info-stealing malware.

In late February, Ukrainian vice prime minister, Mykhailo Fedorov, called for a volunteer “IT army” of hackers to DDoS Russian targets.

However, Cisco Talos claimed that opportunistic cyber-criminals are looking to exploit the subsequent widespread outpouring of support for the Eastern European nation.

Specifically, it detected posts on Telegram offering DDoS tools which were actually loaded with malware. One such tool, dubbed “Liberator,” is offered by a group calling itself “disBalancer.” Although legitimate, it has been spoofed by others, said Cisco.

“The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users,” it explained.

“The malware in this case dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).”

There’s no way to tell the malicious spoofs from the real DDoS tool as none are digitally signed, the vendor warned.

As those behind this malicious activity have been distributing infostealers since last November, Cisco assessed that it’s not the work of new actors but those looking to make a quick buck from the war in Ukraine.

However, such tactics could escalate if Russia finds itself under sustained DDoS attack, warned Cisco.  

“In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation state,” it concluded.

“We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.”

The news comes after the Russian government this week revealed hackers had caused temporary outages of multiple agency websites by targeting an externally loaded widget used to collect visitor statistics.

Security researchers have also observed pro-Ukrainian hacktivists searching for and deleting Russian cloud databases.

What’s Hot on Infosecurity Magazine?