Users of the system were infected through letters sent from a hacked email of the Ministry of Defense of Ukraine.
Delta is a Ukrainian information support system for decisions and situational awareness on the battlefield. The program was created to improve the coordination of actions of various units of the Ukrainian army. Delta has integration with various external intelligence systems, such as: satellites, radars, various sensors and cameras, as well as a Telegram chat bot called "e-Vorogh". Each soldier can enter his data on the general map, as well as view data entered by other military or intelligence services. Each user is assigned his own access level, corresponding to his combat missions and rank.
In addition, the system uses digital certificates for code signing and server authentication. This is necessary so that the information security systems know that the application has not been modified, and the server operator is who he claims to be.
During this malicious campaign, unknown hackers used a hacked email from the Ukrainian Ministry of Defense. From it, the attackers sent letters to Delta users, in which they urged them to renew their certificates as soon as possible in order to continue using the system safely. According to CERT-UA, the malicious emails contained PDF documents with instructions for installing certificates, as well as links to download a ZIP archive called "certificates_rootCA.zip".
The archive contains a digitally signed executable called "certificates_rootCA.exe", which, when run, creates several DLL files on the victim's system and runs the "ais.exe" file, which mimics the certificate installation process. This step convinces the victim of the legitimacy of what is happening and dulls the vigilance.
Exe and dll files are protected by VMProtect, a legitimate software that is used to wrap files in standalone VMs and encrypt their contents, making it impossible for antivirus tools to analyze or detect.
However, CERT-UA specialists were able to analyze two dlls - FileInfo.dll and procsys.dll - which turned out to be malware dubbed FateGra' and StealDeal.
FateGrab is an infostealer targeting documents and emails in the following formats: '.txt', '.rtf', '.xls', '.xlsx', '.ods', '.cmd', '.pdf', ' .vbs', '.ps1', '.one', '.kdb', '.kdbx', '.doc', '.docx', '.odt', '.eml', '.msg', ' .email'.
StealDeal is also an infostealer, but it is already aimed at the victim's browser history and saved passwords.
So far, CERT-UA has not been able to link this malicious campaign to any hacker group.