The threat actor regarded as UAC-0099 has been linked to ongoing attacks aimed at Ukraine, some of which leverage a large-severity flaw in the WinRAR computer software to supply a malware pressure termed LONEPAGE.
“The threat actor targets Ukrainian employees doing work for corporations outdoors of Ukraine,” cybersecurity agency Deep Instinct claimed in a Thursday investigation.
UAC-0099 was initially documented by the Computer system Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against point out businesses and media entities for espionage motives.
Approaching WEBINAR Beat AI-Driven Threats with Zero Trust – Webinar for Security Specialists
Conventional security actions would not slice it in modern world. It truly is time for Zero Belief Security. Secure your details like in no way right before.
Be a part of Now
The attack chains leveraged phishing messages made up of HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE, a Visible Essential Script (VBS) malware which is capable of contacting a command-and-control (C2) server to retrieve more payloads this kind of as keyloggers, stealers, and screenshot malware.
“Throughout 2022-2023, the stated group received unauthorized distant access to quite a few dozen pcs in Ukraine,” CERT-UA reported at the time.
The newest investigation from Deep Instinct reveals that the use of HTA attachments is just just one of three unique bacterial infections, the other two of which leverage self-extracting (SFX) archives and bobby-trapped ZIP information, which exploit the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to distribute LONEPAGE.
In the previous, the SFX file properties an LNK shortcut which is disguised as a DOCX file for a court docket summons whilst applying the icon for Microsoft WordPad to entice the victim into opening it, ensuing in the execution of malicious PowerShell code that drops the LONEPAGE malware.
The other attack sequence uses a specifically crafted ZIP archive which is vulnerable to CVE-2023-38831, with Deep Instinct discovering two these artifacts developed by UAC-0099 on August 5, 2023, 3 times after WinRAR maintainers introduced a patch for the bug.
“The methods made use of by ‘UAC-0099’ are very simple, still helpful,” the business said. “Even with the various first infection vectors, the core an infection is the exact same — they depend on PowerShell and the development of a scheduled activity that executes a VBS file.”
The advancement will come as CERT-UA warned of a new wave of phishing messages purporting to be excellent Kyivstar dues to propagate a remote obtain trojan known as Remcos RAT. The company attributed the campaign to UAC-0050.
Identified this short article intriguing? Observe us on Twitter and LinkedIn to browse far more special material we post.
Some parts of this article are sourced from:
thehackernews.com