CERT-UA Alert: UAC-0099 Phishing Campaigns Target Ukraine's Defense Sector with Advanced Malware
TL;DR
Ukraine’s CERT-UA has issued a warning about phishing attacks by the threat actor UAC-0099, targeting government and defense sectors with advanced malware such as MATCHBOIL, MATCHWOK, and DRAGSTARE. These attacks, initiated through phishing emails, demonstrate the evolving tactics and sophistication of the threat actors.
Introduction
Ukraine’s Computer Emergency Response Team (CERT-UA) has recently warned of a series of phishing attacks orchestrated by the threat actor UAC-0099. These attacks are specifically targeting government entities and the defense sector, deploying sophisticated malware including MATCHBOIL, MATCHWOK, and DRAGSTARE. The attacks underscore the persistent and evolving threat landscape faced by Ukraine’s critical infrastructure.
Attack Chain and Tactics
Phishing Emails and Initial Infection
The attack chain commences with phishing emails, often disguised as “court summons,” sent via the UKR.NET email service. These emails contain links to legitimate file hosting services that harbor a double archive with an HTA file. When opened, the HTA file executes obfuscated VBScript, which drops additional files and creates a scheduled task to run PowerShell code.
Malware Deployment and Execution
The PowerShell code decodes HEX data, writes it to a file, renames it to “AnimalUpdate.exe,” and sets it to run regularly, thereby activating the MATCHBOIL loader. This loader is designed to fetch and run additional payloads, gathering system data such as CPU ID, BIOS serial, username, and MAC address. The malware communicates with its command-and-control (C2) server using HTTP headers that include the gathered system data.
Additional Malware and Persistence Mechanisms
In addition to MATCHBOIL, the threat actors have been observed deploying the MATCHWOK backdoor and the DRAGSTARE stealer. MATCHWOK is a C#-based backdoor that executes PowerShell commands by compiling .NET code at runtime. It includes anti-analysis features, terminating or avoiding execution if tools like IDA, Wireshark, or Procmon are detected on the system.
DRAGSTARE, another C#-based stealer, gathers system information, browser data (Chrome, Mozilla), and specific files (.docx, .pdf, etc.) from common folders. It steals login credentials, cookies, and archives found files for exfiltration. It also executes PowerShell commands from its server, evades virtual machines, and ensures persistence via a registry key.
Evolving Tactics and Persistence
The threat actors behind UAC-0099 have demonstrated significant persistence and sophistication in their tactics. The use of obfuscated VBScript and scheduled tasks to maintain persistence and execute malicious code highlights their adaptability and technical prowess. The attackers have been active since mid-2022, targeting Ukrainian employees working for companies both within and outside of Ukraine.
Historical Context and Previous Attacks
In May 2023, CERT-UA warned of cyberespionage attacks carried out by UAC-0099 against state organizations and media representatives of Ukraine. In December 2023, the threat actor exploited a high-severity WinRAR flaw (CVE-2023-38831) to deliver the LONEPAGE malware, further demonstrating their evolving tactics and targeting strategies.
Conclusion
The recent phishing attacks by UAC-0099 targeting Ukraine’s defense sector underscore the critical need for heightened cybersecurity measures and continuous monitoring. The deployment of advanced malware and the evolving tactics of threat actors highlight the persistent and sophisticated nature of cyber threats faced by critical infrastructure sectors. Organizations must remain vigilant and adopt robust security practices to mitigate the risks posed by such attacks.
Additional Resources
For further insights, check:
Follow for more updates:
- Twitter: @securityaffairs
- Facebook: Security Affairs
- Mastodon: @securityaffairs
For more details, visit the full article: source
References
```