A Ukrainian-based threat actor has launched a spearphishing attack against Russians that are using services that have been banned for use by the Kremlin. The attack targets Russian cities and governments that are not aligned with the actions of the Russian government. MalwareBytes identified the campaign last week, stating that it targets entities using websites, social networks, instant messengers, and VPN services that have been banned in Russia.
Targets receive various emails stating that they will face charges due to the illegal activity, prompting them to open a malicious attachment to learn more. MalwareBytes also detected two documents associated with the campaign leveraging the MSHTML flaw, tracked as CVE-2021-40444. Although it has since been patched, the flaw allows for remote-code execution in Windows that allows attackers to create malicious Office documents.
