Hackers Expose Vulnerabilities in Ukrainian Cyber Defense by Impersonating CERT-UA to Distribute RAT
In a striking incident that underscores the vulnerabilities within cybersecurity frameworks, Ukraine’s Computer Emergency Response Team (CERT-UA) found itself at the center of an investigation after a sophisticated phishing campaign targeted its operations. Between March 26 and 27, an unidentified threat actor created a convincing replica of the CERT-UA website, disseminating emails that impersonated its staff and directed recipients to download malware disguised as legitimate security software.
Phishing Campaign Unveiled
CERT-UA disclosed on March 28 that attackers sent out emails falsely attributed to the agency, urging recipients to download a password-protected archive labeled either “CERT_UA_protection_tool.zip” or “protection_tool.zip.” These files were hosted on the Files.fm file-sharing service and were presented as specialized protective software. The phishing emails targeted a wide range of Ukrainian institutions, including government bodies, healthcare facilities, educational institutions, financial organizations, and software development companies.
To bolster the phishing campaign, the attackers registered a counterfeit domain, cert-ua[.]tech, on March 27—just one day into the email distribution. This fraudulent website contained content copied directly from the official CERT-UA site, along with fabricated instructions for downloading the malicious software.
The Nature of the Malware
The executable file embedded within the downloaded archives was not protective software but rather a Remote Access Trojan (RAT) identified as AGEWHEEZE. CERT-UA classified this malware as a fully functional RAT developed in the Go programming language. RATs are notorious for granting attackers complete control over infected machines, enabling them to access files, view screens in real-time, emulate keyboard and mouse actions, execute commands, manage processes and services, and even shut down or lock devices.
AGEWHEEZE is designed for persistent, covert control. Its capabilities include screen capture, real-time input emulation, file system operations such as reading, writing, deleting, renaming, and creating directories, as well as managing autorun settings and accessing terminals. The malware establishes persistence through various methods, including the Windows registry startup key and scheduled tasks, creating entries named “SvcHelper” or “CoreService” based on the infection vector.
Command-and-Control Infrastructure
The command-and-control (C2) server associated with AGEWHEEZE revealed further insights into the operation. Hosted on infrastructure belonging to the French cloud provider OVH, the server utilized WebSocket connections for communication. An intriguing detail emerged from a web page on port 8443, titled “The Cult,” which displayed an authentication form. Investigators discovered Russian-language text within the HTML source, indicating a blocked membership status. The self-signed SSL certificate for this server was created on March 18, listing “TVisor” in the Organization field, which matched the internal package name found within the malware.
Attribution for the attack was promptly claimed by the perpetrators. An analysis of the AI-generated fake website at cert-ua[.]tech revealed a line in the HTML code that read: “With Love, CYBER SERP — https://t[.]me/CyberSerp_Official.” This direct attribution eliminated any ambiguity regarding the source of the attack.
Impact and Response
On March 28, the day following the phishing campaign’s launch, the Telegram channel referenced in the HTML code published a message claiming responsibility for the attack. CERT-UA assigned the tracking identifier UAC-0255 to this activity. Despite the sophistication of the attack, CERT-UA assessed the cyber operation as “unsuccessful,” noting that only a few personal devices belonging to employees of educational institutions were identified as infected. The agency provided methodological and practical assistance to those affected and acknowledged the role of Ukrainian electronic communications providers in disseminating cyber threat information.
CERT-UA has documented multiple campaigns by various threat groups that weaponize government branding, including UAC-0002, UAC-0035, and UAC-0252. In this instance, the attackers targeted the agency that holds the highest authority in Ukrainian information security communications, effectively turning the trust associated with CERT-UA against the very institutions that rely on it.
The Role of Artificial Intelligence
The incident highlights the evolving landscape of cyber threats, particularly the role of artificial intelligence in simplifying the execution of such attacks. CERT-UA noted that the attackers’ use of an AI-generated phishing site serves as a cautionary example of the potential for AI to facilitate cyber threats. In response, the agency recommended that organizations reduce their attack surface by implementing standard operating system protections, including Software Restriction Policies and AppLocker, as well as deploying specialized endpoint protection tools.
For organizations seeking to bolster their defenses, CERT-UA has made available full indicators of compromise, including file hashes, network indicators, and host-based artifacts in their advisory.
According to publicly available thecyberexpress.com reporting, this incident serves as a critical reminder of the vulnerabilities that exist even within established cybersecurity frameworks. As cyber threats continue to evolve, the need for robust defenses and proactive measures becomes increasingly paramount.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
