The threat actor known as UAC-0099 continues to target Ukraine, employing a high-severity WinRAR software flaw to distribute the LONEPAGE malware. Focused on Ukrainian employees in international companies, the attacker leverages multiple infection methods, including phishing emails with HTA attachments, self-extracting archives, and ZIP files exploiting the WinRAR vulnerability (CVE-2023-38831).
LONEPAGE, a Visual Basic Script malware, establishes contact with a command-and-control server, enabling unauthorized remote access to computers. The attacks began in June 2023, according to the Computer Emergency Response Team of Ukraine (CERT-UA), with espionage motives against state organizations and media entities. Deep Instinct’s recent analysis reveals that UAC-0099’s tactics involve phishing emails with HTA attachments, employing a disguised DOCX file for a court summons.
Additionally, the attacker uses self-extracting (SFX) archives and booby-trapped ZIP files to exploit the WinRAR vulnerability for LONEPAGE distribution. The SFX file contains an LNK shortcut posing as a DOCX file, enticing victims with a Microsoft WordPad icon. Upon opening, the shortcut executes malicious PowerShell code, leading to the deployment of LONEPAGE. Another attack method involves a specially crafted ZIP archive, susceptible to CVE-2023-38831, demonstrating the group’s adaptability. Despite variations in initial infection vectors, the core strategy remains consistent, relying on PowerShell and scheduled tasks to execute a VBS file.
CERT-UA had previously reported unauthorized remote access to dozens of Ukrainian computers by UAC-0099 during 2022-2023. The recent findings underscore the group’s resilience and continued focus on cyber operations targeting Ukraine, emphasizing the evolving nature of cyber threats against nations and organizations.
Reference
