Microsoft Exchange servers used by Ukraine's and Eastern Europe's defense sector have been targeted in new attacks by Russian state-backed hacking group Turla, also known as UAC-0003, KRYPTON, and Secret Blizzard, deploying the novel DeliveryCheck backdoor, BleepingComputer reports.
Phishing emails with Excel attachments having malicious macros are leveraged by Turla to commence the attacks, with the macros facilitating PowerShell command execution and scheduled task creation that downloads DeliveryCheck, also known as GAMEDAY and CapiBar, according to Microsoft and Ukraine's Computer Emergency Response Team. Aside from enabling javascript deployment, DeliveryCheck also allows the exfiltration of event log and system file data, as well as various programs' credentials, cookies, and authentication tokens.
"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems," said the Microsoft Threat Intelligence team in a tweet.