Growing Cyber Threats: UAC-0099 Targets Ukrainian Government and Defense
Introduction to UAC-0099
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert regarding a series of cyber attacks orchestrated by a threat actor known as UAC-0099. This group has notably focused its efforts on government bodies, the nation’s defense forces, and various enterprises within Ukraine’s defense-industrial sector.
Attack Vectors and Techniques
Initial Compromise via Phishing
UAC-0099 has been employing phishing emails as their primary method for initiating attacks. These deceptive messages often contain links designed to lure in victims, making them susceptible to a range of malware families, including MATCHBOIL, MATCHWOK, and DRAGSTARE.
Background of UAC-0099
Previously documented by CERT-UA in June 2023, UAC-0099 has built a reputation for targeting Ukrainian organizations for espionage. Early tactics included exploiting vulnerabilities in the WinRAR software (specifically CVE-2023-38831 with a CVSS score of 7.8) to distribute a malware variant known as LONEPAGE.
Infection Chain
The latest infection chain features emails that pertain to court summons—strategically crafted to entice recipients into engaging with malicious links. These links, often shortened through services like Cuttly and sent from UKR.NET email addresses, lead to a double archive file that contains an HTML Application (HTA) file.
Execution of Malware Payload
The clicking of the malicious link initiates the execution of an obfuscated Visual Basic Script. This script not only runs but also sets up a scheduled task for persistence, eventually launching MATCHBOIL. This C#-based program is crucial for dropping additional malware onto the infected host.
Subsequent Malware Components
MATCHWOK and DRAGSTARE are two significant pieces of malware that follow. MATCHWOK is a backdoor that can execute PowerShell commands while forwarding the output to a remote server. In contrast, DRAGSTARE functions as a data stealer, capable of gathering system info, browser data, and a wide range of file types from key folders, including the Desktop and Documents.
Recent Cyber Activity and Trends
In another relevant development, ESET published a comprehensive report detailing Gamaredon’s "relentless" spear-phishing attacks against Ukrainian entities throughout 2024. This report highlighted the introduction of six new malware tools that are engineered specifically for stealth and persistence.
New Tools Under Gamaredon’s Arsenal
Breakdown of Newly Introduced Malware
- PteroDespair: A PowerShell reconnaissance tool for gathering diagnostic data on previously deployed malware.
- PteroTickle: A PowerShell weaponizer that targets Python apps on fixed and removable drives, facilitating lateral movement.
- PteroGraphin: Establishes persistence using Microsoft Excel add-ins and creates encrypted communication channels via the Telegraph API.
- PteroStew: A VBScript downloader that stores its code in alternative data streams linked to benign files.
- PteroQuark: Introduced as a new part of the VBScript version of the PteroLNK weaponization tool.
- PteroBox: A PowerShell file stealer that exfiltrates stolen files to Dropbox.
Campaign Intensification and Techniques
Recent reports indicate that Gamaredon’s spear-phishing efforts have escalated, particularly in the latter half of 2024. Research by Zoltán Rusnák reveals that these campaigns often lasted several days, relying on emails containing malicious archive files (RAR, ZIP, 7z) or using HTML smuggling techniques via XHTML files.
Evasive Tactics and Tradecraft
The attacks typically deploy malicious HTA or LNK files that execute embedded VBScript downloaders like PteroSand and distribute upgraded versions of existing tools. Additionally, the tactics employed by this Russian-aligned threat actor include utilizing fast-flux DNS techniques alongside legitimate third-party services—such as Telegram and Cloudflare tunnels—to obscure its command-and-control (C2) infrastructure.
Conclusion
Despite observable limitations in capacity and a shift away from older tools, UAC-0099 and Gamaredon remain significant threats due to their relentless innovation and aggressive spear-phishing tactics, underscoring the ongoing cybersecurity challenges faced by Ukraine and its defense systems. Cybersecurity professionals must remain vigilant, adapting to the evolving landscape of cyber threats to better protect against these sophisticated attacks.
Note: In ongoing efforts to enhance online security, stay informed about the latest threats, secure your systems, and regularly update your software to guard against such emerging risks.
