Threat Actor 'UAC-0099' Continues to Target Ukraine

Key Takeaways

• "UAC-0099" is a threat actor that has targeted Ukraine since mid-2022
• Deep Instinct Threat Lab has identified new attacks by the threat actor
• The threat actor was observed leveraging CVE-2023-38831
• The threat actor targets Ukrainian employees working for companies outside of Ukraine

Introduction

In May 2023, the Ukrainian CERT published advisory #6710 about a threat actor dubbed “UAC-0099.” The advisory briefly details the threat actor’s activities and tools.

Since the CERT-UA publication in May, Deep Instinct has identified new attacks carried out by “UAC-0099” against Ukrainian targets.

This blog post will shed additional light on the threat group’s recent attacks, which feature common tactics, techniques, and procedures (TTPs), including the use of a fabricated court summons to bait targets in Ukraine into executing the malicious files.

Important note: Some of the C2 servers related to these attacks are still active at the time of publication.

RAR SFX with LNK Infection Vector

In early August, “UAC-0099” sent an email impersonating the Lviv city court using the ukr.net email service.

The email was sent to a corporate email box of a Ukrainian employee working remotely for a company outside of the Ukraine.

The attached is an executable file created by WinRAR, the Windows-based file archiver and compression utility that can compress a file as a self-extracting archive (SFX):

After extracting the contents of the archive, a new file is created with a double extension, in this case docx.lnk:

The file looks like a regular document file. However, it’s a LNK shortcut disguised as a DOCX file. Closer inspection reveals that the file uses the “WordPad” application icon instead of a DOCX icon. When opened, the specially crafted LNK file executes PowerShell with malicious content:

The malicious PowerShell code decodes two base64 blobs and writes the output into VBS and DOCX files. After that, the PowerShell code opens the DOCX file as a decoy while also creating a new scheduled task that executes the VBS file every three minutes.

The VBS malware was named “LonePage” by CERT-UA. When executed, it creates a hidden PowerShell process that communicates with a hardcoded C2 URL to fetch a text file. The rest of the PowerShell code is executed only if the response from the C2 is greater than one byte. In that instance, the PowerShell script checks to see if the string “get-content“ is included in the text file. If the string is present, then the script executes the code from the server and saves it as an array of bytes. If the string is absent, the script executes a combination of commands inside the text file from the server and some hard-coded basic enumeration commands such as “whoami:”

Regardless of the C2 response, the results of executing the commands inside the txt file or the hardcoded commands are sent back to the same C2 server. However, it is sent to a different port via HTTP POST method.

The DOCX document is a decoy to trick the victim into thinking they’re opening a legitimate DOCX file containing a court summons instead of a malicious file:

In early November, another instance of this campaign was observed using a different C2 address — 196.196.156[.]2.

Since the threat actor controls the content of the “upgrade.txt” files, they can change it according to their objectives. As such, the content is not always the same and can vary.

The following code was observed as a response from the C2 server at 2023-11-08 14:50:30 UTC.

This PowerShell code is responsible for taking a screenshot. As mentioned above, the LonePage VBS sends the results back to the C2, allowing the threat actor to execute any PowerShell code on the infected computer and receive the response back.

At the end of November 2023, another campaign instance was observed using the C2 address 2.59.222[.]98. In this case, the payload response from the C2 server aligns with what was described as “recon” activity in the pastebin:

The decoy document is a PDF file instead of a DOCX. And instead of the usual court summons document, the PDF file shows a smudged document:

HTA Infection Vector

In contrast to the LNK attack vector described earlier, this attack uses HTA. The HTA method is similar, but there are notable differences. Instead of an LNK file invoking PowerShell, the HTA file includes HTML code that contains a VBScript that executes PowerShell. The scheduled task cadence is also different — it runs every four minutes instead of three in the previous cases.

While CERT-UA reported in their advisory that the HTA file drops an HTML file as a decoy, Deep Instinct observed a similar court summons DOCX decoy document, like what was observed in the LNK chain.

CVE-2023-38831 Infection Vector

In both attacks described below, “UAC-0099” exploited a known WinRAR vulnerability, identified by Group-IB and traced back to April 2023.

The vulnerability stems from how WinRAR processes ZIP files. The exploitation requires a user to interact with a specially crafted ZIP archive.

Here’s how it works: the attacker creates an archive with a benign filename with a space after the file extension — for example, “poc.pdf .” The archive includes a folder with the same name, including the space (something that is not possible under normal conditions, since the operating system does not allow the creation of a file with the same name). The folder includes an additional file with the same name as the benign file, including a space, followed by a “.cmd” extension.

When a user opens a ZIP file containing these files in an unpatched version of WinRAR and double-clicks on the benign file, the file with the “cmd” extension is executed instead.

The vulnerability might produce higher infection rates because the attacks are disguised so well; even security-savvy victims can fall for the deception. Expecting to open a benign file, the user will inadvertently execute malicious code.

You can find a POC for the vulnerability in GitHub. A patched WinRAR (version 6.23) was released on August 2, 2023.

Deep Instinct identified two ZIP files created by “UAC-0099" on August 5, 2023:

The malicious “cmd” file is different in the two files, each containing a different C2 URI path.

The modification time between the two files is only two seconds, indicating that, most likely, the files were created in an automated fashion. This, combined with the fact that UAC-0099 started to exploit the vulnerability several days after the patch, shows the level of sophistication of the attackers.

While Google TAG identified several Russian threat actors using the vulnerability to attack Ukrainian targets, the UAC-0099 activity is absent in their blog.

The CVE assignment and the Group-IB blog about the vulnerability were published after “UAC-0099” leveraged the attack technique, indicating they likely knew how to exploit it.

The decoy used in this campaign was once again the “summon to court” document theme.

Conclusions and Recommendations

The tactics used by “UAC-0099” are simple, yet effective. Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.

Monitoring and limiting the functionality of those components can reduce the risk of “UAC-0099” attacks — and/or identify them quickly in the event of compromise.

The WinRAR exploitation is an interesting choice. Some people don’t update their software in a timely fashion, even with automatic updates. WinRAR requires a manual update, meaning that even if a patch is available, many people will likely still have a vulnerable version of WinRAR installed.

Please make sure you have the latest version of WinRAR installed.

IOCs and the POC for the CVE-2023-38831 can be found on our GitHub.

IOCs

147.78.46[.]40

196.196.156[.]2

2.59.222[.]98