Headline
UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
By Waqas UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began. This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
The exploited WinRAR vulnerability was a zero-day flaw identified in August 2023 – Despite subsequent patching efforts, unpatched systems remain at risk and continue to be targeted.
Cybersecurity researchers at Deep Instinct Lab have revealed a new series of cyberattacks carried out by ‘UAC-0099,’ specifically targeting Ukrainians. These attacks employ common tactics such as using fabricated court summons to entice targets into executing malicious files.
The group’s activities were initially revealed in May 2023 through the Ukrainian CERT advisory ‘#6710,’ and Deep Instinct has now provided exclusive insights into their latest attack.
According to a blog post from the company, on December 21st, 2023, ‘UAC-0099’ utilized an email scam to impersonate the Lviv city court via the ukr.net email service. The target was a Ukrainian employee working remotely for a company outside Ukraine. The deceptive email contained an executable file created by WinRAR, named docx.lnk.
Although appearing as a regular document, it was an LNK shortcut designed to execute PowerShell with malicious content, decoding two base64 blobs and writing the output into VBS and DOCX files.
The VBS malware, identified as ‘LonePage’ by CERT-UA, establishes a concealed PowerShell process that communicates with a predefined C2 URL to retrieve a text file. The script verifies the presence of the string ‘get-content’ in the text file, subsequently executing the code from the server and saving it as an array of bytes.
The LonePage VBS (VBS) proves to be a potent tool, enabling cybercriminals to infiltrate computers and execute malicious code. Employing a deceptive tactic, it utilizes a DOCX decoy document, tricking victims into believing they are opening a legitimate file. Employing a method akin to the LNK attack vector, the HTA technique involves an HTML file incorporating a VBScript that executes PowerShell with a recurring four-minute task cadence.
In both incidents, the pro-Russian gang exploited a recognized WinRAR vulnerability, designated as CVE-2023-38831 in August 2023, and identified by Group-IB. This vulnerability arises from the way WinRAR processes ZIP files, requiring user interaction with a specially crafted ZIP archive for exploitation.
The attacker crafts a seemingly harmless archive by appending a space after the file extension. This archive contains a folder with an identical name and an extra file bearing a “.cmd” extension.
When a user double-clicks on the innocuous file, the associated “cmd” file is executed instead. This vulnerability heightens the risk of widespread infections, as even security-aware victims may inadvertently run malicious code while opening what appears to be a harmless file.
Researchers have found this gang’s tactics simple yet effective. They rely on PowerShell and create a scheduled task to execute a VBS file. Monitoring/restricting these components can reduce the risk of “UAC-0099” attacks and help identify them quickly in case of compromise.
The attack flow (Deep Instinct Lab)
This isn’t the first time Russian hackers have exploited known vulnerabilities. In early December, Hackread.com reported how the Russian GRU’s affiliated Forest Blizzard exploited an Outlook vulnerability allowing attackers to steal Net-NTLMv2 hashes and access user accounts.
On December 15, 2023, reports surfaced that Russian hackers breached a major US biomedical company in a TeamCity-linked attack. Despite the vulnerability, which scored 9.8 on the CVSS scale, being patched in September 2023, unpatched systems remain susceptible to ongoing cyberattacks.
****RELATED ARTICLES****
- Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack
- Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
- Microsoft warns of rising NOBELIUM credential attacks on defence sector
- Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
- Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks
Related news
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files.
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.