Threat actors impersonate CERT-UA, distribute AGEWHEEZE malware

As outlined in Security Affairs, threat actors, identified as UAC-0255, have launched a sophisticated phishing campaign by impersonating the Ukrainian cybersecurity incident response team, CERT-UA. This operation aimed to distribute the AGEWHEEZE remote access tool to a wide range of potential victims.The campaign targeted approximately 1 million users across various sectors, including government, healthcare, education, and finance. Attackers sent emails urging recipients to download a password-protected archive from Files.fm, which contained a fake “security tool.” Upon installation, this tool deployed AGEWHEEZE, a multifunctional malware capable of command execution, file management, screen capture, and ensuring persistence through registry or scheduled tasks. The attackers also created a fake website, cert-ua[.]tech, mimicking the legitimate CERT-UA site, to spread the malware. Evidence suggests the command server is hosted on OVH infrastructure and contains Russian-language elements, hinting at the attackers’ origin.CERT-UA emphasizes the need for organizations to reduce their attack surfaces and strengthen security measures using tools like AppLocker and robust system protections. Source:Security Affairs