EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: ukr[.]net

Impersonation of ukr[.]net. Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and (
  (
    // technique
    strings.ilike(sender.display_name, "ukr*net")
    and sender.email.domain.root_domain != "ukr.net"
  )
  or (
    // IOCs
    subject.subject == "Увага"
    and (
      sender.email.email in (
        "muthuprakash.b@tvsrubber.com",
        "rakesh.ict@msruas.ac.in",
        "omars@salecharter.net",
        "citi.in.pm@xerago.com",
        "qs@gsengint.com",
        "sec.ls@msruas.ac.in",
        "vaishnavi.kj@tvsrubber.com",
        "nshcorp@nshcorp.in",
        "purchase2@hitechelastomers.com",
        "productionbelgavi@hodekindia.com",
        "narayanababu.py.ph@msruas.ac.in",
        "roopa.tsld@msruas.ac.in",
        "in-nonciti.basupport@xerago.com",
        "info@empiink.com",
        "pooja.fa@msruas.ac.in",
        "babu.d@tvsrubber.com",
        "systeam@xerago.com",
        "dean.ds@msruas.ac.in",
      )
      or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Brand impersonation: ukr[.]net"
description: |
  Impersonation of ukr[.]net.

  Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate
  ukr[.]net to steal user credentials. "Compromised mailboxes are used by the
  Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."
references:
  - "https://www.facebook.com/UACERT/posts/317482093744389"
  - "https://www.facebook.com/UACERT/posts/317539153738683"
  - "https://twitter.com/thehackersnews/status/1500824885957857280?s=21"
  - "https://thehackernews.com/2022/03/ukrainian-cert-warns-citizens-of.html"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    (
      // technique
      strings.ilike(sender.display_name, "ukr*net")
      and sender.email.domain.root_domain != "ukr.net"
    )
    or (
      // IOCs
      subject.subject == "Увага"
      and (
        sender.email.email in (
          "muthuprakash.b@tvsrubber.com",
          "rakesh.ict@msruas.ac.in",
          "omars@salecharter.net",
          "citi.in.pm@xerago.com",
          "qs@gsengint.com",
          "sec.ls@msruas.ac.in",
          "vaishnavi.kj@tvsrubber.com",
          "nshcorp@nshcorp.in",
          "purchase2@hitechelastomers.com",
          "productionbelgavi@hodekindia.com",
          "narayanababu.py.ph@msruas.ac.in",
          "roopa.tsld@msruas.ac.in",
          "in-nonciti.basupport@xerago.com",
          "info@empiink.com",
          "pooja.fa@msruas.ac.in",
          "babu.d@tvsrubber.com",
          "systeam@xerago.com",
          "dean.ds@msruas.ac.in",
        )
        or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
      )
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "Threat intelligence"
id: "3cb4015f-1e35-5bba-8d83-d5ed3dfff011"