The threat actor "UAC-0099" has been targeting Ukraine since mid-2022. This actor has been observed leveraging various tactics and techniques to carry out cyber attacks, including the use of a high-severity WinRAR flaw (CVE-2023-38831) to deliver the LONEPAGE malware. The group targets Ukrainian employees working for companies outside of Ukraine and has been linked to attacks against state organizations and media entities for espionage motives. The attacks involve different infection vectors, such as phishing messages containing HTA, RAR, and LNK file attachments, leading to the deployment of the LONEPAGE malware, a Visual Basic Script (VBS) capable of contacting a command-and-control (C2) server, stealing information, and taking screenshots. The threat actor's activities have been documented by the Computer Emergency Response Team of Ukraine (CERT-UA), and their attacks continue to evolve, demonstrating a high level of sophistication.
IoC
SHA256
- 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
- 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
- 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
- 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
- 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
- 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
- 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
- 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
- 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
- 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
- 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
- 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
- 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
- 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7
- 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
- 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
- 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
- 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
- 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
- 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
- a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
- d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
- e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0
- f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
- f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
IPv4
- 147.78.46.40
- 196.196.156.2
- 2.59.222.98
REFERENCES
- https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine
- https://otx.alienvault.com/pulse/658c7d1e6e6bd875e46d467e
TAGS
powershell, uac0099, winrar, docx, ukraine, vbs, phishing, CVE-2023-38831
No comments:
Post a Comment