Letters on the topic “Debt under the Kyivstar contract” contain attachments in the form of the aforementioned archived files. “Subscriber debit.zip”. CERT-UA drew attention to the use of password protected RAR archives in these annexes. When the archive is opened, a series of files is launched, which ends with the activation of the RemcosRAT remote access program.

The malicious campaign is not limited to fake loan requests. CERT-UA also discovered emails on the subject “SBU request”containing type suffixes “Documents.zip”. These attachments contain password-protected RAR archives called . “request.rar”When turned on, it causes the installation of the RemcosRAT remote control program.

The danger is real

State Special Communications emphasizes that this is not the first time the UAK-0050 group has used such tactics. In previous cases, cybercriminals impersonated government agencies such as:

• Civil Service in Emergency Situations,
• Press service of the General Staff of the Armed Forces of Ukraine,
• Security Service of Ukraine,
• Government Private Communications.

Ukrainians are advised to be careful and not fall for suspicious emails, especially regarding the current problems with Kyivstar. CERT-UA recommends that you take strict security precautions and avoid opening attachments or following links from unknown or unverified sources.