#ESETresearch uncovered a new compromise that we attribute to #FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. @dmnsch https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
The compromise chain is the newest observed to date, and starts with a blurry lure PDF file that contains a malicious link to download a document hosted on a delivery server. If the request does not come from an expected victim, the server delivers a benign PDF file.
If the victim request comes from an expected location, the server instead delivers a malicious RAR archive, containing the first stage and displays an unblurred version of the PDF file as a decoy, while executing the next stage silently.
The victim’s computer-related information is collected, and its fingerprint is sent to the C&C server. The response contains a Cobalt Strike beacon as initial implant only if the victim is of interest.
Detailed analysis is available at https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/frostyneighbor