Russian Cyber Group UAC-0050 Expands Attacks to European Financial Institutions
A Russia-aligned cybercrime group, UAC-0050, also known as the DaVinci Group, has recently targeted a European financial institution involved in regional development and reconstruction initiatives. This marks a significant shift in the group’s focus, extending their operations beyond Ukraine to entities supporting the nation.
The attack commenced with a spear-phishing email that impersonated a Ukrainian judicial domain. The email directed the recipient, a senior legal and policy advisor with access to sensitive institutional operations and financial mechanisms, to download an archive file from PixelDrain, a file-sharing service. This method was likely chosen to bypass reputation-based security controls.
Upon downloading, the ZIP file initiated a complex infection chain. It contained a RAR archive, which included a password-protected 7-Zip file. Inside was an executable disguised as a PDF document using a double extension trick (.pdf.exe). Executing this file installed the Remote Manipulator System (RMS), a Russian remote desktop software that enables remote control, desktop sharing, and file transfers.
The use of legitimate tools like RMS allows attackers to maintain persistent and stealthy access to compromised systems, often evading traditional antivirus detection. This tactic aligns with UAC-0050’s previous operations, where they deployed remote access software such as LiteManager and RemcosRAT in attacks targeting Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) has identified UAC-0050 as a mercenary group associated with Russian law enforcement agencies. Operating under the Fire Cells branding, the group engages in data gathering, financial theft, and information and psychological operations.
This recent attack indicates a potential expansion of UAC-0050’s targeting strategy. Historically focused on Ukraine-based entities, particularly accountants and financial officers, the group now appears to be probing institutions in Western Europe that support Ukraine.
The incident underscores the evolving nature of cyber threats and the importance of robust cybersecurity measures. Organizations, especially those involved in sensitive sectors like finance and regional development, must remain vigilant against sophisticated social engineering attacks and ensure their security protocols are up to date.
