Ethical Hacking News
A new malware family dubbed 'AgingFly' has been identified in attacks targeting Ukrainian governments and hospitals. The attackers used open-source tools to steal authentication data from Chromium-based browsers and WhatsApp messenger, and the malware provides remote control, command execution, file exfiltration, screenshot capture, keylogging, and arbitrary code execution. Understanding the tactics, techniques, and procedures (TTPs) employed by this malware is crucial for developing effective countermeasures against future attacks.
A new malware family called 'AgingFly' has been discovered, used in attacks on local governments and hospitals in Ukraine. The attack begins with an email offering humanitarian aid, leading to the theft of authentication data from Chromium-based browsers and WhatsApp messenger. The malware uses a unique approach to retrieve command handlers from a C2 server, increasing complexity but also flexibility. Users can mitigate risks by blocking LNK, HTA, and JS files to disrupt the attack chain. The attackers use open-source security tools and tools like RustScan and Ligolo-ng to carry out their attacks.
In a recent development that has sent shockwaves through the cybersecurity community, researchers from CERT-UA have identified a new malware family dubbed 'AgingFly' that has been used in attacks against local governments and hospitals in Ukraine. The attacks, which began with an email purportedly offering humanitarian aid, resulted in the theft of sensitive authentication data from Chromium-based browsers and WhatsApp messenger.
The attack chain, as outlined by CERT-UA, begins with the target receiving an email with a link that redirects them to either a compromised legitimate site or a fake site generated using AI tools. The recipient is then prompted to download an archive containing a shortcut file (LNK) that launches a built-in HTA handler, which connects to a remote resource to retrieve and execute an EXE payload.
The HTA displays a decoy form to divert attention while creating a scheduled task that downloads and runs the EXE payload. This payload injects shellcode into a legitimate process, establishes a TCP connection with the C2 server using XOR cipher encryption, and executes commands via the Command Prompt in Windows.
The AgingFly malware, compiled from source code received from the C2 server, provides its operators with remote control, command execution, file exfiltration, screenshot capture, keylogging, and arbitrary code execution. It communicates with the C2 server via WebSockets and encrypts traffic using AES-CBC with a static key.
The researchers note that the malware's unique feature is its absence of pre-built command handlers; instead, it retrieves them from the C2 server as source code and dynamically compiles at runtime. This approach adds complexity to the attack vector but also provides flexibility in terms of changing or extending capabilities on demand.
However, this unusual approach also increases detection risk due to its reliance on C2 connectivity and a larger runtime footprint. To mitigate these risks, CERT-UA recommends that users block the launch of LNK, HTA, and JS files to disrupt the attack chain used in this campaign.
The use of open-source security tools such as ChromElevator for decrypting Chromium-based browser data and ZAPiDESK for decrypting WhatsApp databases further highlights the attackers' use of publicly available utilities to carry out their attacks. The researchers also note that the attackers engage in reconnaissance activity, attempt to move laterally on the network, and utilize RustScan port scanner and Ligolo-ng and Chisel tunneling tools.
The benefits of using this approach include a smaller initial payload and the ability to change or extend capabilities on demand, but the increased complexity and reliance on C2 connectivity also pose significant challenges for defenders. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and implement robust security measures to protect against such sophisticated attack vectors.
Related Information:
https://www.ethicalhackingnews.com/articles/New-AgingFly-Malware-A-Sophisticated-Attack-Vector-Targeting-Ukrainian-Governments-and-Hospitals-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-agingfly-malware-used-in-attacks-on-ukraine-govt-hospitals/
https://www.cisa.gov/news-events/news/cisa-and-fbi-publish-advisory-protect-organizations-destructive-malware-used-ukraine
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://breach-hq.com/threat-actors
Published: Wed Apr 15 17:43:47 2026 by llama3.2 3B Q4_K_M
