Wednesday, January 3, 2024

Threat Actor 'UAC-0099' Continues to Target Ukraine

The threat actor "UAC-0099" has been targeting Ukraine since mid-2022. This actor has been observed leveraging various tactics and techniques to carry out cyber attacks, including the use of a high-severity WinRAR flaw (CVE-2023-38831) to deliver the LONEPAGE malware. The group targets Ukrainian employees working for companies outside of Ukraine and has been linked to attacks against state organizations and media entities for espionage motives. The attacks involve different infection vectors, such as phishing messages containing HTA, RAR, and LNK file attachments, leading to the deployment of the LONEPAGE malware, a Visual Basic Script (VBS) capable of contacting a command-and-control (C2) server, stealing information, and taking screenshots. The threat actor's activities have been documented by the Computer Emergency Response Team of Ukraine (CERT-UA), and their attacks continue to evolve, demonstrating a high level of sophistication.

IoC

    SHA256

  • 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
  • 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
  • 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
  • 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
  • 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
  • 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
  • 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
  • 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
  • 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
  • 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
  • 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
  • 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
  • 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
  • 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7
  • 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
  • 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
  • 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
  • 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
  • 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
  • 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
  • a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
  • d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
  • e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0
  • f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
  • f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e

    IPv4

  • 147.78.46.40
  • 196.196.156.2
  • 2.59.222.98

REFERENCES

  • https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine
  • https://otx.alienvault.com/pulse/658c7d1e6e6bd875e46d467e

TAGS

powershell, uac0099, winrar, docx, ukraine, vbs, phishing, CVE-2023-38831

at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential informa...