Cybersecurity researchers at Deep Instinct Lab have revealed a new series of cyberattacks by ‘UAC-0099,’ specifically targeting Ukrainians. These attacks employ common tactics, such as using fabricated court summons to entice targets into executing malicious files.
The group’s activities were initially revealed in May 2023 through the Ukrainian CERT advisory ‘#6710,’ and Deep Instinct has now provided exclusive insights into their latest attack.
According to a blog post from the company, on December 21st, 2023, ‘UAC-0099’ utilized an email scam to impersonate the Lviv city court via the ukr.net email service. The target was a Ukrainian employee working remotely for a company outside Ukraine. The deceptive email contained an executable file created by WinRAR named docx.lnk.[1]
Although appearing as a regular document, it was an LNK shortcut designed to execute PowerShell with malicious content, decoding two base64 blobs and writing the output into VBS and DOCX files.
|
The exploited WinRAR vulnerability was a zero-day flaw identified in August 2023 – Despite subsequent patching efforts, unpatched systems remain at risk and continue to be targeted. |
The VBS malware, identified as ‘LonePage’ by CERT-UA, establishes a concealed PowerShell process that communicates with a predefined C2 URL to retrieve a text file. The script verifies the string ‘get-content’ in the text file, subsequently executing the code from the server and saving it as an array of bytes.
The LonePage VBS (VBS) is a potent tool, enabling cybercriminals to infiltrate computers and execute malicious code. Employing a deceptive tactic, it utilizes a DOCX decoy document, tricking victims into believing they are opening a legitimate file. Employing a method akin to the LNK attack vector, the HTA technique involves an HTML file incorporating a VBScript that executes PowerShell with a recurring four-minute task cadence.
In both incidents, the pro-Russian gang exploited a recognized WinRAR vulnerability, designated as CVE-2023-38831 in August 2023, and identified by Group-IB. This vulnerability arises from the way WinRAR processes ZIP files, requiring user interaction with a specially crafted ZIP archive for exploitation.
The attacker crafts a seemingly harmless archive by appending a space after the file extension. This archive contains a folder with an identical name and an extra file bearing a “.cmd” extension.
When a user double-clicks on the innocuous file, the associated “cmd” file is executed instead. This vulnerability heightens the risk of widespread infections, as even security-aware victims may inadvertently run malicious code while opening what appears to be a harmless file.
Researchers have found this gang’s tactics simple yet effective. They rely on PowerShell and create a scheduled task to execute a VBS file. Monitoring/restricting these components can reduce the risk of “UAC-0099” attacks and help identify them quickly in case of compromise.
UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
The attack flow (Deep Instinct Lab)
This isn’t the first time Russian hackers have exploited known vulnerabilities. In early December, Hackread.com reported how the Russian GRU’s affiliated Forest Blizzard exploited an Outlook vulnerability, allowing attackers to steal Net-NTLMv2 hashes and access user accounts.
On 15 December 2023, reports surfaced that Russian hackers breached a major US biomedical company in a TeamCity-linked attack. Despite the vulnerability, which scored 9.8 on the CVSS scale, being patched in September 2023, unpatched systems remain susceptible to ongoing cyberattacks.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.hackread.com/uac-0099-hackers-winrar-flaw-cyberattack-ukraine/
Comments