SunSeed

Sarah Jones

Feb 28, 2022

A Lua-based malware/phishing campaign (likely nation-state sponsored), which utilizes compromised Ukrainian armed service member’s email accounts to target European Union government personnel that are involved in managing the logistics of refugees fleeing Ukraine has emerged.

The phishing campaign originated from an email address with a supposedly Ukrainian domain (ukr[.]net). The email utilized the subject "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022" and included a macro enabled XLS file titled “list of persons.xlsx,” which was determined to contain malicious macros designed to silently install a Command and Control (C2) persistent malware client written in Lua. Proofpoint has named this malware SunSeed.


The format of the subject line included the date “24.02.2022” at the end of subject line and was similar to emails reported by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) on February 25, 2022. This alert indicated that mass phishing campaigns were targeting “Citizens’ e-mail addresses” in Ukraine.

This infection chain used is like a campaign observed by Proofpoint in July 2021 stemming from Minsk Based group UNC1151 which Proofpoint is tracking as Threat Actor TA445. It is believed that this Threat Actor is the same thats involved in the more recent Ukrainian campaign.