Malware disguised as a security tool targets Ukraine’s IT military

Ukraine IT army hacker

A new malware campaign is exploiting people’s willingness to support Ukraine’s cyber war against Russia to infect them with password-stealing Trojans.

Last month, the Ukrainian government announced a new IT army made up of volunteers around the world carrying out cyber attacks and DDoS attacks against Russian entities.

This initiative has sparked an outpouring of support from many people around the world who have helped attack Russian organizations and sites, even if that activity is considered illegal.

Mimic a real DDoS tool

As is common with malware distributors, threat actors take advantage of the IT military by promoting a fake DDoS tool on Telegram that installs a password and an information-stealing trojan.

In a new report from Cisco Talos, researchers warn that threat actors are mimicking a DDoS tool called the “Liberator,” a website bomber for use against Russian propaganda channels.

The Liberator on its actual websiteThe Liberator at its actual website (Cisco)

While the versions downloaded from the real site are “clean” and probably illegal to use, the versions circulating in Telegram hide malware payloads, and there’s no way to tell the difference before running, as none of them are. both are digitally signed.

Telegram post promoting the fake LiberatorTelegram post promoting the fake Liberator (Cisco)

Telegram’s posts claim that the tool retrieves a list of Russian targets to attack from a server, so the user doesn’t have to do much other than run it on their machine.

This ease of use is likely to appeal to supporters of Ukraine who are not very technical and do not know how to carry out their own attacks to “bomb” Russian sites.

the info stealer

The malware dropped on the victims’ systems performs anti-debug checks before running and then follows a process injection step to load the Phoenix information theft into memory.

Phoenix was first spotted in the summer of 2019, sold in the cybercrime underground as MaaS (malware as a service) for $15 per month or $80 for a lifetime subscription.

The particular info stealer can collect data from web browsers, VPN tools, Discord, file system locations and cryptocurrency wallets and send it to an external address, in this case a Russian IP address.

Example of a data exfiltration from PhoenixExample of a data exfiltration from Phoenix (Cisco)

Talos researchers found that this particular IP has been distributing Phoenix since November 2021. Therefore, the recent theme change indicates that this campaign is just an opportunistic attempt to exploit the war in Ukraine for financial gain.

Do not participate in cyber attacks

Understandably, many people are overwhelmed by a sentiment that motivates them to act against unprovoked large-scale military invasions, but participating in cyber-attacks is always a bad idea.

Even if these actions appear to be sponsored by the Ukrainian government, which has the support of the entire international community, it does not make their use legal.

Users who participate in DDoS, defacement, or network breaches still run the risk of running into trouble with their country’s law enforcement agencies.

This malware distribution campaign is yet another reason why you should avoid participating in this type of operation, because in the end you are only endangering yourself.

This post Malware disguised as a security tool targets Ukraine’s IT military

was original published at “”