The emails contain a link to a site that looks like it contains updates for Windows Based antimalware software. The site has been taken offline as of this writing, but it is possible that a new site will be stood up to continue the campaign. Researchers also identified at least one command and control server for the campaign. The “update’ is 60MB and walks the user through an acceptance screen that looks like it is from Microsoft. What it actually does is download and install a Cobalt Strike beacon in the form a file called one.exe. The installer also grabs and executes a file called dropper.exe that is a Go Based downloader. This in turn execute a base64 encoded file.
The new file completes the set by setting up persistence in the Windows Registry and two backdoors. One is the GrpahSteel Backdoor while the other is GrimPlant. The two backdoors although overlapping in their capabilities allow boarder capabilities on the device together that what is possible independently. It is also likely that these two backdoors are there to be a backup to each other.
The TTPs for this attack as well as the target have most researchers putting the responsible party as either directly inside Russia or a Pro-Russia APT group. This would seem likely as there has been a massive increase in attacks targeting the Ukraine since the start of the invasion. There is even rumblings of a war between APT groups as sides have been drawn. As with any email that asks you to download something, you should confirm the source through an independent means if possible. If not, just do not download the file. Phishing, cast net and spear, are common ways to take advantage of situations, in this case the uncertainty around the increase in targeted attacks on Ukrainian targets. Attackers can send out as many emails as they need to get that one careless download and they have many ways to get around anti-phishing tools. In the end it is up to the end user to be aware and not act on an unconfirmed request.