The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a recent cyber attack by the threat actor UAC-0099, targeting various Ukrainian government and defense sectors. These attacks use phishing emails with court summons as a lure to deliver new malware families, including MATCHBOIL, MATCHWOK, and DRAGSTARE, for espionage purposes.
CERT-UA has issued a warning about a recent series of cyber attacks carried out by the threat actor UAC-0099. These sophisticated attacks are specifically aimed at government agencies, the defense forces, and the defense-industrial complex of Ukraine. The primary method of initial compromise for these attacks is phishing emails. The attackers use these emails to distribute several new types of malware, including MATCHBOIL, MATCHWOK, and DRAGSTARE.
The main objective of these attacks appears to be espionage, reflecting a long-standing pattern of targeting Ukrainian entities by UAC-0099.
The latest infection chain begins with deceptive emails that contain lures related to court summons. These emails are sent from UKR.NET addresses and include links that have been shortened using services like Cuttly. When a recipient clicks on one of these links, they are led to a double archive file that contains an HTML Application (HTA) file. This HTA file is the key to the infection. Upon execution, it triggers an obfuscated Visual Basic Script, which in turn creates a scheduled task for persistence on the system.
This script then launches a loader named MATCHBOIL, a C#-based program designed to deploy additional malicious payloads.
The latest infection chain begins with deceptive emails that contain lures related to court summons. These emails are sent from UKR.NET addresses and include links that have been shortened using services like Cuttly. When a recipient clicks on one of these links, they are led to a double archive file that contains an HTML Application (HTA) file. This HTA file is the key to the infection.
Upon execution, it triggers an obfuscated Visual Basic Script, which in turn creates a scheduled task for persistence on the system. This script then launches a loader named MATCHBOIL, a C#-based program designed to deploy additional malicious payloads.
The MATCHBOIL loader is responsible for dropping two additional malware families: MATCHWOK and DRAGSTARE. Both are written in C#. MATCHWOK is a backdoor that gives the attacker the ability to execute PowerShell commands on the compromised system and send the results to a remote server. Meanwhile, DRAGSTARE is a powerful information stealer. It is designed to collect a wide range of sensitive data, including system information, browser data, and specific file types (such as .docx, .pdf, .txt) from folders like “Desktop,” “Documents,” and “Downloads.” DRAGSTARE also captures screenshots and can execute additional PowerShell commands received from a server controlled by the attackers.
The disclosure of these attacks by CERT-UA comes shortly after a detailed report by the cybersecurity firm ESET, which documented relentless spear-phishing attacks by the threat actor Gamaredon (also known as Armageddon). Gamaredon’s campaigns, which have also targeted Ukrainian entities, intensified during the second half of 2024.
This group is known for using malicious archives (RAR, ZIP, 7z) and HTML smuggling to deliver a variety of malware tools. The continuous activity of both UAC-0099 and Gamaredon highlights the persistent and evolving cyber threats faced by Ukraine’s government and defense sectors, with attackers constantly developing new tools and tactics to evade detection.
The threat actors, particularly Gamaredon, are constantly innovating. ESET’s report details six new malware tools used by this group, including PteroDespair for reconnaissance, PteroTickle for lateral movement, and PteroGraphin for establishing persistence. They also leverage legitimate third-party services like Telegram, Cloudflare, and Dropbox to obfuscate their command-and-control (C2) infrastructure, making it harder to track their activities.
The sophistication and persistence of these attacks, despite observable limitations in some cases, underscore the significant and ongoing threat these state-aligned actors pose. Their aggressive spear-phishing campaigns and continuous efforts to bypass security measures make them a formidable adversary in the cyber domain.
Reference:
