The Turla group is attacking Ukrainian authorities with a new DeliveryCheck malware.

As researchers recently found out, the Turla hacker group uses a new .NETa backdoor called DeliveryCheck (also known as CAPIBAR or GAMEDAY) for attacks on Ukrainian government structures.

According to Microsoftobtained in collaboration with CERT-UA, DeliveryCheck is distributed through phishing emails with malicious macros. After a successful infection, the backdoor establishes a permanent presence on the system using a scheduler task and contacts the C2 server for further instructions to download arbitrary payloads.

In some cases, the infection is also accompanied by the installation of a well-known Turla implant called Kazuar to steal application configuration files, event logs, and various data from web browsers.

The ultimate goal of the attacks is to gain access to the correspondence in the application signal For Windowsallowing attackers to extract sensitive conversations, documents, and images from compromised systems.

A distinctive feature of DeliveryCheck is the ability to penetrate Microsoft Exchange servers to install the server component using the Desired State Configuration (DSC) — control platforms PowerShell to automate the configuration of Windows systems.

“DSC generates a file in the Managed Object Format (MOF) containing a PowerShell script that loads an embedded .NET payload into memory, effectively turning a legitimate server into a malware control center,” Microsoft explained.

As you might guess, foreign experts blame Russian hacker forces, and even state-funded ones, for conducting this malicious campaign. However, the Russian government has repeatedly denied its involvement in any cyber attacks and any kind of interference in the functioning of the institutions of other states.