Phishing Campaign Targets EU Officials Working with Ukrainian Refugees

As the war in Ukraine continues, security researchers discovered what looks like a new attempt at covert cyber warfare. This time, the threat actors targeted European Union staff and officials who are working with Ukrainian refugees escaping from their war-torn country.

Phishing attack uses compromised email

Researchers with security firm Proofpoint published a report on the attack. According to Proofpoint, a "likely" state-backed actor is targeting European government officials who are working on handling the refugee wave coming from Ukraine. The phishing attack was carried out using an email address belonging to the Ukrainian military, which has previously been compromised by the threat actor.

The payload contained in the phishing email comprises an attached Excel file named "list of persons.xlsx" which has malicious macros embedded in it. If executed, the macro tries to grab a malicious secondary payload written in Lua and called "SunSeed". The email that the phishing messages originate from belongs to a member of the Ukrainian military and from a ukr.net mail domain.

When it comes to the social engineering aspect of the phishing emails, the message came with the subject line "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022". This was tied in with the emergency meeting held by the NATO Security Council on the day preceding the date in the email's title. The attachment's filename, on the other hand, was intended to invoke the "kill list" of Ukrainian targets that made the news in late February.

How the SunSeed malware works

The payload installs a number of Lua dependencies, then executes the malicious SunSeed Lua script, and finally sets up persistence through the use of a shortcut .lnk file. There is also a modified version of a legitimate Lua code interpreter installed. The interpreter in question is called sppsvc.exe and this particular version has been modified so that it doesn't output anything to the Windows console, in an effort to cover up the malware's activity.

The shortcut file used for persistence is called Software Protection Service.lnk and is created under ~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.

Despite Proofpoint's belief that this is a state-backed entity, there is no hard evidence pointing to any specific group in any specific country. This report comes at a time when over a million Ukrainians have reportedly fled the country and are seeking refuge beyond Ukraine's borders. The Ukrainian influx of refugees has even prompted Japan, which traditionally had extremely low annual refugee quotas, to open its borders for people fleeing the war.