The Computer Emergency Response Team of Ukraine (CERT-UA) has recently identified a series of cyber attacks orchestrated by a threat actor designated as UAC-0099. These attacks specifically target Ukrainian government agencies, defense forces, and enterprises within the defense-industrial complex. The primary method of compromise involves phishing emails that deliver malware families such as MATCHBOIL, MATCHWOK, and DRAGSTARE.
Background on UAC-0099
First publicly documented by CERT-UA in June 2023, UAC-0099 has a history of targeting Ukrainian entities for espionage purposes. Previous campaigns by this group exploited vulnerabilities in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to disseminate malware known as LONEPAGE.
Current Attack Methodology
In the latest campaign, UAC-0099 employs phishing emails that masquerade as court summons notifications. These emails are sent from UKR.NET addresses and contain links shortened using services like Cuttly. When recipients click on these links, they are directed to download a double archive file containing an HTML Application (HTA) file.
Infection Chain Details
1. HTA File Execution: Upon execution, the HTA file runs an obfuscated Visual Basic Script (VBS).
2. Persistence Mechanism: The VBS script creates a scheduled task to ensure the malware remains active on the infected system.
3. Loader Deployment: The script then executes a C#-based loader named MATCHBOIL, which is responsible for deploying additional malware components.
Malware Components
– MATCHWOK: A C#-written backdoor capable of executing PowerShell commands and transmitting the results to a remote server.
– DRAGSTARE: Also developed in C#, this stealer collects system information, extracts data from web browsers, and searches for specific file types (.docx, .doc, .xls, .txt, .ovpn, .rdp, .pdf) within the Desktop, Documents, and Downloads folders. Additionally, it captures screenshots and executes PowerShell commands received from an attacker-controlled server.
Contextualizing the Threat
This disclosure follows a detailed report by ESET, which highlighted Gamaredon’s intensified spear-phishing attacks against Ukrainian entities in 2024. The report detailed the use of six new malware tools designed for stealth, persistence, and lateral movement, including:
– PteroDespair: A PowerShell reconnaissance tool collecting diagnostic data on previously deployed malware.
– PteroTickle: A PowerShell weaponizer targeting Python applications converted into executables on fixed and removable drives to facilitate lateral movement by injecting code that likely serves PteroPSLoad or another PowerShell downloader.
– PteroGraphin: A PowerShell tool establishing persistence using Microsoft Excel add-ins and scheduled tasks, as well as creating an encrypted communication channel for payload delivery through the Telegraph API.
– PteroStew: A VBScript downloader storing its code in alternate data streams associated with benign files on the victim’s system.
– PteroQuark: A VBScript downloader introduced as a new component within the VBScript version of the PteroLNK weaponizer.
– PteroBox: A PowerShell file stealer resembling PteroPSDoor but exfiltrating stolen files to Dropbox.
According to security researcher Zoltán Rusnák, Gamaredon’s spearphishing activities significantly intensified during the second half of 2024. Campaigns typically lasted one to five consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or XHTML files employing HTML smuggling techniques.
Implications and Recommendations
The persistent and evolving nature of these cyber threats underscores the importance of heightened vigilance among Ukrainian organizations. Entities are advised to:
– Exercise Caution with Emails: Be wary of unsolicited emails, especially those containing links or attachments, even if they appear to originate from legitimate sources.
– Verify Links Before Clicking: Hover over links to preview the URL and ensure it directs to a legitimate and expected destination.
– Keep Software Updated: Regularly update all software, including security patches, to mitigate vulnerabilities that could be exploited by attackers.
– Implement Robust Security Measures: Utilize comprehensive security solutions that can detect and prevent such sophisticated attack vectors.
By adopting these practices, organizations can enhance their resilience against the sophisticated tactics employed by threat actors like UAC-0099 and Gamaredon.
