Overview
The UAC-0198 threat actor, a sophisticated cybercriminal group, has been identified as a significant player in recent high-profile cyberattacks targeting Ukrainian government entities. Their activities, uncovered by Ukraine’s Computer Emergency Response Team (CERT-UA), highlight the growing threat posed by groups that leverage both advanced malware and social engineering techniques to infiltrate critical infrastructure. In August 2024, CERT-UA tracked the widespread distribution of ANONVNC (also known as MESHAGENT), a remote access tool, which was used by the UAC-0198 actor to compromise over 100 computers within Ukrainian state and local government agencies. This attack was carried out through a highly targeted phishing campaign, which appeared to come from trusted sources, such as the Security Service of Ukraine, in an attempt to deceive recipients into downloading malicious attachments.
The UAC-0198 group is believed to have been active since at least July 2024, with their operations escalating in scale and sophistication. Leveraging malware such as ANONVNC, the group exploits weaknesses in cybersecurity defenses to gain unauthorized access to sensitive government networks. ANONVNC, a repurposed version of MESHAGENT, was likely chosen due to its flexibility and effectiveness in establishing hidden, persistent access to compromised systems. By exploiting known vulnerabilities and combining them with social engineering tactics, UAC-0198 has shown how cybercriminals are increasingly able to evade detection, maintain long-term access to compromised environments, and conduct cyber-espionage or data exfiltration campaigns with little immediate consequence.
Common targets
Individuals
Public Administration
Ukraine
Attack Vectors
Phishing
How they operate
The UAC-0198 campaign, identified by CERT-UA as UAC-0198, involved sending deceptive phishing emails purporting to be from the Security Service of Ukraine (SBU). The emails contained links that, when clicked, would download malicious files. These files, often named innocuously like “Scan_docs#40562153.msi” or “Scan_docs#14107386.exe,” were actually MSI and EXE files designed to install the ANONVNC malware onto victims’ systems. Upon execution, these files opened the door for the attackers to launch the ANONVNC malware, which in turn initiated remote access to the affected systems. This access was typically used to monitor user activity, gather sensitive information, or plant additional malware for further exploitation.
ANONVNC itself is a remote access tool that functions similarly to other legitimate tools like VNC (Virtual Network Computing), but with malicious intent. What sets ANONVNC apart is its stealth and persistence. Once deployed, the malware establishes a covert communication channel, often through encrypted protocols, to command-and-control (C2) servers. These servers, such as the ones hosted on domains like syn.hiddenvnc[.]com or anonvnc[.]com, are used by the attackers to issue commands and exfiltrate data. Additionally, ANONVNC often leverages file-sharing services like pCloud to host its payloads, making it harder to trace and block through traditional means.
The
malware is often configured with a customized settings file that mirrors the configuration of MESHAGENT, an open-source remote management tool available on GitHub. This indicates that UAC-0198 has either repurposed or modified the source code of
MESHAGENT for their operations. This tactic is common among advanced threat actors who prefer to build upon existing code to save time and resources while maintaining the flexibility to adapt to different targets. The threat actor also utilizes obfuscation techniques to avoid detection by security software. For example, ANONVNC’s payload may be encrypted or compressed, ensuring that it bypasses traditional endpoint detection systems.
Once the malware is successfully executed, it drops files into various system directories, including %PROGRAMDATA% and %PROGRAMFILES(X86)%, where it places its main executable and any associated components. In some cases, files are placed in the Startup folder to ensure the malware runs every time the machine boots up. By establishing itself in these locations, the malware gains persistence, even after system reboots, which is critical for long-term espionage campaigns. Additionally, ANONVNC uses system registry keys to ensure its auto-start functionality, a technique that makes it even harder to remove.
To make its operations even more difficult to detect, UAC-0198 employs multiple layers of obfuscation and the use of legitimate file-sharing services and domains. The use of platforms like pCloud, often considered benign, as well as dynamic domains hosted on Cloudflare or other CDN services, further complicates efforts to block or trace their activities. The threat actor also regularly switches IP addresses and domains, likely as a countermeasure to make it difficult for defenders to attribute or block their operations.
Through these technical mechanisms, UAC-0198 can maintain control over compromised systems, steal valuable data, and carry out other malicious activities such as spreading additional malware or conducting reconnaissance. The group has demonstrated significant operational flexibility, targeting both high-profile government agencies and local organizations, with a particular focus on Ukraine’s governmental networks. The technical sophistication of UAC-0198 highlights the increasing complexity of modern cyberattacks and the evolving threat landscape faced by organizations globally. As cybersecurity defenses improve, groups like UAC-0198 continue to adapt and refine their tactics, ensuring that they remain a significant threat to both government and private sector entities.
References:
