UAC-0200 | |
Location | Luhansk People's Republic (LPR- self proclaimed breakaway region in ukraine supported by Russia) |
Date of Initial Activity | 2024 |
Suspected attribution | State-sponsored threat group |
Government Affiliation | Yes |
Associated Groups | UAC-0057 (GhostWriter) |
Motivation | Cyberwarfare |
Associated Tools | DarkCrystal RAT |
Overview
Ukrainian Defense Forces: UAC-0200 has targeted military personnel and defense-related organizations. This includes the use of malware like SPECTR, which is employed in espionage campaigns to gather sensitive information from defense sectors.
Government Institutions: UAC-0200’s operations also extend to Ukrainian government institutions. These targets are part of a broader campaign to gain intelligence on governmental operations and sensitive information.
Attack Vectors
Spearphishing and Malicious Downloads
How they operate
UAC-0200’s operations are characterized by their use of the Signal messenger application as a delivery method for their malicious payloads. Signal, known for its secure communication features, is strategically exploited to gain the trust of potential victims. By sending phishing messages through this platform, the threat actor takes advantage of the inherent trust users place in the application. These messages often contain malicious attachments disguised as legitimate files, increasing the likelihood that recipients will inadvertently execute them.
The malware distributed by UAC-0200, DarkCrystal RAT, is embedded in self-extracting archives sent to victims. These archives, which can include files with extensions such as “.pif” or “.exe,” typically contain a combination of Visual Basic Encoded (VBE) scripts, Batch (BAT) files, and executable (EXE) files. Once the EXE file is executed, it installs DarkCrystal RAT, granting the attackers remote access to the compromised system. This setup allows UAC-0200 to bypass traditional security measures and establish a foothold in the targeted networks.
The operational tactics of UAC-0200 reflect a high level of sophistication and strategic planning. By using a trusted communication tool like Signal and employing advanced malware delivery techniques, the threat actor is able to evade detection and maximize the impact of their attacks. This method not only increases the success rate of their phishing campaigns but also demonstrates the need for enhanced security measures to combat such sophisticated threats.
MITRE Tactics and Techniques
Initial Access
Phishing: Spearphishing Attachment (T1566.001)
Signal Messenger Drops Suspicious Files (via file_event)
Execution
Command and Scripting Interpreter: Visual Basic (T1059.005)
LOLBAS WScript / CScript (via process_creation)
User Execution: Malicious File (T1204.002)
Possible Self-Extracting Archive was Executed (via file_event)
Execution from Zip (via process_creation)
Execution from RAR Archive [WinRAR] (via process_creation)
