# Ukraine's DELTA military system users targeted by info- stealing malware **[bleepingcomputer.com/news/security/ukraines-delta-military-system-users-targeted-by-info-stealing-malware/](https://www.bleepingcomputer.com/news/security/ukraines-delta-military-system-users-targeted-by-info-stealing-malware/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) December 19, 2022 12:39 PM 1 A compromised Ukrainian Ministry of Defense email account was found sending phishing emails and instant messages to users of the 'DELTA' situational awareness program to infect systems with information-stealing malware. [The campaign was highlighted in a report today by CERT-UA (Computer Emergency](https://cert.gov.ua/article/3349703) Response Team of Ukraine), which warned Ukrainian military personnel of the malware attack. DELTA is an intelligence collection and management system created by Ukraine with the help of its allies to help the military track the movements of enemy forces. ----- The system provides comprehensive real-time information with high-level integration from multiple sources on a digital map that can run on any electronic device, from a laptop to a smartphone. Digital certificates are used for signing software code and authenticating servers, telling security products running on the OS that the application has not been tampered with and that the server operator is who they claim to be. ## Infection process As part of this campaign, threat actors used email or instant messages with fake warnings that users need to update the 'Delta' certificates to continue using the system securely. The malicious email contains a PDF document purportedly with certificate installation instructions, which includes links to download a ZIP archive named "certificates_rootCA.zip." ----- **Sample of** **email used in the campaign** _(CERT-UA)_ ----- **Landing page from** **where victims download the ZIP file** _(CERT-UA)_ The archive contains a digitally signed executable named "certificates_rootCA.exe," which, upon launch, creates several DLL files on the victim's system and launches "ais.exe," which simulates the certificate installation process. This step convinces the victim that the process was legitimate and reduces the chances of them realizing they have been breached. ----- **Certificate** **installation dialog** _(CERT-UA)_ Both the EXE files and the DLLs are protected by VMProtect, a legitimate software that is used for wrapping files in standalone virtualized machines, encrypting their content, and making AV analysis or detection impossible. The dropped DLLs, "FileInfo.dll" and "procsys.dll," are malware, identified by CERT-UA as 'FateGrab' and 'StealDeal.' FateGrab is an FTP file stealer targeting documents and emails of the following file formats: '.txt', '.rtf', '.xls', '.xlsx', '.ods', '.cmd', '.pdf', '.vbs', '.ps1', '.one', '.kdb', '.kdbx', '.doc', '.docx', '.odt', '.eml', '.msg', '.email.' StealDeal is an information stealer malware that can, among other things, steal internet browsing data and passwords stored on the web browser. CERT-UA was unable to link the above operation to any known threat actors. ### Related Articles: [Malicious ‘Lolip0p’ PyPi packages install info-stealing malware](https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware/) [Over 1 300 fake AnyDesk sites push Vidar info-stealing malware](https://www.bleepingcomputer.com/news/security/over-1-300-fake-anydesk-sites-push-vidar-info-stealing-malware/) ----- [New Dark Pink APT group targets govt and military with custom malware](https://www.bleepingcomputer.com/news/security/new-dark-pink-apt-group-targets-govt-and-military-with-custom-malware/) [Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls](https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls/) [New info-stealer malware infects software pirates via fake cracks sites](https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----