A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.
Google’s Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name UNC5812. The threat group, which operates a Telegram channel named civildefense_com_ua, was created on September 10, 2024. As of writing, the channel has 184 subscribers. It also maintains a website at civildefense.com[.]ua that was registered on April 24, 2024.
“‘Civil Defense’ claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters,” the company said in a report shared with The Hacker News.
Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware along with a decoy mapping application dubbed SUNSPINNER.
UNC5812 is also said to be actively engaged in influence operations, disseminating narratives and soliciting content intended to undermine support for Ukraine’s mobilization and military recruitment efforts.
“UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia’s war in Ukraine,” Google Threat Intelligence Group said.
Civil Defense, which has had its Telegram channel and website promoted by other legitimate, established Ukrainian-language Telegram channels, aims to direct victims to its website from where malicious software is downloaded depending on the operating system.
For Windows users, the ZIP archive leads to the deployment of a newly discovered PHP-based malware loader named Pronsis that’s used to distribute SUNSPINNER and an off-the-shelf stealer malware known as PureStealer that’s advertised for anywhere between $150 for a monthly subscription to $699 for a lifetime license.
SUNSPINNER, for its part, displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.
For those who are navigating to the website from Android devices, the attack chain deploys a malicious APK file (package name: “com.http.masters”) that embeds a remote access trojan referred to as CraxsRAT.
The website also includes instructions that guide victims on how to disable Google Play Protect and grant it all the requested permissions, allowing the malware to function unimpeded.
CraxsRAT is a notorious Android malware family that comes with capabilities for remote device control and advanced spyware functions such as keylogging, gesture manipulation, and recording of cameras, screens, and calls.
After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor.
As of May 2024, EVLF is said to have stopped development on the malware due to scammers and cracked versions, but said they are working on a new web-based version that can be accessed from any machine.
“While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis,” Google said.
“The website’s FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to ‘protect the anonymity and security’ of its users, and directing them to a set of accompanying video instructions.”