# Russia-Ukraine war exploited as lure for malware distribution **[bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/](https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) March 4, 2022 12:04 PM 0 Threat actors are distributing malware using phishing themes related to the invasion of Ukraine, aiming to infect their targets with remote access trojans (RATs) such as Agent Tesla and Remcos. It is common for malware distributors to take advantage of trending global events to trick the recipient into opening email attachments, and at this time, there is nothing more closely watched than Russia's invasion of Ukraine. Using this theme, threat actors are sending malicious emails that install RATs on target systems to gain remote access, steal sensitive information, conduct network reconnaissance, disable security software, and generally prepare the ground for more potent payloads. [The report of the latest malicious operations comes from Bitdefender Labs, whose](https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine) researchers have been tracking two distinct phishing campaigns since March 01 2022 ----- ## Targeting manufacturers Ukraine is a manufacturing hub for various parts, and the current conflict has forced [factories to close, inevitably creating supply chain problems and shortages.](https://www.nytimes.com/2022/03/01/business/volkswagen-bmw-autos-germany-ukraine.html) The first campaign spotted by Bitdefender attempts to exploit these concerns by targeting manufacturers with a ZIP attachment that supposedly contains a survey that they are required to fill out to help their customers develop backup plans. **Phishing email used in the first campaign** _(Bitdefender)_ However, the ZIP archive contains the Agent Tesla RAT, which has been heavily used in [various phishing campaigns in the past.](https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-powerpoint-macros-to-drop-agent-tesla/) Most (83%) of the phishing emails in this campaign originated from the Netherlands, while the targets are based in the Czech Republic (14%), South Korea (23%), Germany (10%), the UK (10%), and the US (8%). ----- ## Fake order holds The second campaign involves the impersonation of a South Korean healthcare company that manufactures in-vitro diagnostic systems. The message to targets claims that all orders have been put on hold due to flight and shipment restrictions from Ukraine. **Phishing email used in the second campaign** _(Bitdefender)_ The attached Excel document supposedly contains more details about the order, but in reality, it’s a macro-laced file that exploits the always popular four-years-old Microsoft Office Equation Editor bug tracked as CVE-2017-11882 vulnerability to deliver the Remcos RAT on the system. 89% of these emails originate from German IP addresses, while the recipients are based in Ireland (32%), India (17%), and the US (7%). ----- ## Crypto-donation scams on the rise [Bitdefender also reports seeing an explosion in the number of scammers who attempt to](https://www.bleepingcomputer.com/news/security/help-ukraine-crypto-scams-emerge-as-ukraine-raises-over-37-million/) convince users they are legitimate charities collecting donations to support Ukraine. These scams have intensified, with malicious actors impersonating the Ukrainian government, the Act for Peace, UNICEF, and the Ukraine Crisis Relief Fund. **Crypto-donations scam email** _(Bitdefender)_ Some example subject lines used by the scammers are: Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum, and USDT. HELP UKRAINE stop the war! Ukraine Humanitarian Donation Donate to Ukraine, Help save a life: Please read Urgent! Help Children in Ukraine ----- Subject: Help Ukraine ## Stay safe In general, but especially during periods of turbulence and uncertainty, avoid clicking on links or downloading attachments arriving at your inbox via unsolicited communications. [If you want to donate to Ukraine, consider donating directly to the Save Life organization or](https://savelife.in.ua/en/donate/) the [Ukrainian Red Cross. Also, the official Ukraine government has published the following](https://redcross.org.ua/en/donate/) cryptocurrency addresses to use for donations. Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum and USDT. BTC - 357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P ETH and USDT (ERC-20) - 0x165CD37b4C644C2921454429E7F9358d18A45e14 [— Ukraine / Україна (@Ukraine) February 26, 2022](https://twitter.com/Ukraine/status/1497594592438497282?ref_src=twsrc%5Etfw) For protection against phishing emails and other online threats, the Romanian National Cyber Security Directorate (DNSC) and Bitdefender offer [free protection for citizens and](https://www.bitdefender.com/ukraine/) companies alike and extend the trial period of 'Total Security' to [90 days.](https://www.bitdefender.com/media/html/consumer/new/get-your-90-day-trial-opt/index.html?cid=soc%7Cc%7cblog%7C90DaysTrial) ### Related Articles: [Fake crypto sites lure wannabe thieves by spamming login credentials](https://www.bleepingcomputer.com/news/security/fake-crypto-sites-lure-wannabe-thieves-by-spamming-login-credentials/) [Ukraine supporters in Germany targeted with PowerShell RAT malware](https://www.bleepingcomputer.com/news/security/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware/) [New stealthy Nerbian RAT malware spotted in ongoing attacks](https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-malware-spotted-in-ongoing-attacks/) [Ukraine warns of “chemical attack” phishing pushing stealer malware](https://www.bleepingcomputer.com/news/security/ukraine-warns-of-chemical-attack-phishing-pushing-stealer-malware/) [Popular NFT marketplace Rarible targeted by scammers and malware](https://www.bleepingcomputer.com/news/microsoft/popular-nft-marketplace-rarible-targeted-by-scammers-and-malware/) [CryptoCurrency](https://www.bleepingcomputer.com/tag/cryptocurrency/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Phishing](https://www.bleepingcomputer.com/tag/phishing/) [RAT](https://www.bleepingcomputer.com/tag/rat/) [Remote Access Trojan](https://www.bleepingcomputer.com/tag/remote-access-trojan/) [Scam](https://www.bleepingcomputer.com/tag/scam/) [Ukraine](https://www.bleepingcomputer.com/tag/ukraine/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) ----- Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-suspends-all-new-sales-in-russia/) [Next Article](https://www.bleepingcomputer.com/news/security/cisco-joins-long-list-of-security-companies-supporting-ukraine/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----