The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Pro-Russia hackers attack Ukraine with Somnia ransomware. CERT-UA cybersecurity experts: Z-Team exploits Avidar, Netscan and a Cobalt Strike beacon, then it exfiltrate data from corporate networks and encrypt it
Somnia is a new ransomware used by pro-Russia “From Russia with Love” (aka FRwL, Z-Team, UAC-0118) hackers against targets in Ukraine. CERT-UA cybersecurity experts denounce this. First of all, the Threat Actor infects the employees with the Avidar installer via fake sites that mimic Advanced IP Scanner. Avidar steals the victim’s Telegram data to take control of their account. The next step is to get the user VPN connection data to gain unauthorized access to the employer’s corporate network. Then, the malicious hackers exploited Netscan for recoinnassance and deployed a Cobalt Strike beacon. Finally they exfiltrate data and encrypted the system with the malware.