December 22, 2023 at 03:42AM
UAC-0099, a threat actor, is targeting Ukrainian employees at foreign companies with malware attacks, leveraging a WinRAR vulnerability to deliver the LONEPAGE strain. The attacks use various file attachments and exploit methods, including phishing messages, to deploy the malware. Deep Instinct’s analysis reveals the tactics employed and warns of a new phishing campaign by UAC-0050.
Key takeaways from the meeting notes on the Newsroom Malware / Cyber Attack include:
– The threat actor UAC-0099 has been linked to ongoing attacks targeting Ukraine, often using a high-severity vulnerability in WinRAR to distribute the LONEPAGE malware.
– Cybersecurity firm Deep Instinct highlighted UAC-0099’s targeting of Ukrainian employees working for companies outside of Ukraine and its use of phishing messages containing HTA, RAR, and LNK file attachments to deploy LONEPAGE.
– UAC-0099 also exploited the WinRAR vulnerability to distribute LONEPAGE through self-extracting (SFX) archives and booby-trapped ZIP files, with tactics involving disguised DOCX files and specially crafted ZIP archives susceptible to the CVE-2023-38831 vulnerability.
– Despite different initial infection vectors, the core infection remains the same, relying on PowerShell and the creation of a scheduled task that executes a VBS file.
– CERT-UA warned of a new wave of phishing messages purporting to be outstanding Kyivstar dues, attributed to UAC-0050 and aimed at spreading the Remcos RAT remote access trojan.
I hope these takeaways accurately summarize the meeting notes. Let me know if you need any further information or assistance!