UAC-0125, a threat actor linked to the Russian GRU, has been observed exploiting Cloudflare Workers to distribute malware disguised as a legitimate mobile app, Army+, developed by Ukraine’s Ministry of Defence. The Army+ app, introduced in August 2024, aims to digitize military operations and reduce reliance on paper. However, UAC-0125 has created counterfeit websites using Cloudflare’s platform, tricking military personnel into downloading a fake Windows executable masquerading as the app. This attack targets the Ukrainian military, leveraging the trust placed in official government applications.
Once downloaded, the malicious binary, created using the open-source Nullsoft Scriptable Install System (NSIS), prompts users to launch a decoy file while secretly executing a PowerShell script. The script installs OpenSSH on the infected machine, generates an RSA key pair, and adds the public key to the “authorized_keys” file. The private key is then exfiltrated to a remote server controlled by the attacker, using the anonymity of the TOR network. The ultimate goal is to establish remote access to the victim’s machine, enabling further exploitation.
This attack highlights a broader trend of abuse of legitimate services to facilitate cyberattacks. CERT-UA’s disclosure underscores the growing use of Cloudflare Workers in phishing and malware distribution. Cloudflare’s platform, known for its legitimate use in hosting web applications, has become an attractive tool for cybercriminals, as it allows them to circumvent traditional security measures. This trend has been on the rise in 2024, with a significant increase in phishing attacks hosted on Cloudflare Pages and Workers, according to Fortra’s recent report.
The rise in such malicious activity is part of a larger geopolitical context, as the European Council imposed sanctions on several individuals and entities linked to Russian cyber operations. These sanctions include targeting GRU Unit 29155, known for its involvement in assassination attempts, cyberattacks, and other destabilizing activities across Europe. The growing prevalence of cyberattacks, including those involving legitimate services like Cloudflare, underscores the need for enhanced cybersecurity measures and international cooperation to address these persistent threats.
Reference:
