“The attackers are targeting Ukrainian employees who work in companies outside of Ukraine,” says the report of the cyber security company Deep Instinct. UAC-0099 was first documented by the Ukrainian Computer Emergency Response Team (CERT-UA) in June 2023, detailing espionage-motivated attacks on government organizations and media. The attack chain uses phishing emails containing HTA, RAR, and LNK file attachments that can communicate with control (C2) servers to obtain additional useful data such as keyloggers, ransomware, and screenshot malware LONEPAGE, a malicious Visual Basic Script (VBS) software was deployed. CERT-UA said at the time that “between 2022 and 2023, the group gained unauthorized remote access to dozens of computers in Ukraine.”
According to Deep Instinct’s latest analysis, the use of HTA attachments is only one of three different infection chains, the other two using self-extracting archives (SFX) and trapped ZIP files ZIP files are vulnerable to the WinRAR vulnerability (CVE-2023- 38831 , CVSS score: 7.8), which is used to distribute LONEPAGE. In the first case, the SFX file contains an LNK shortcut disguised as a DOCX file using a Microsoft WordPad icon, which forces the victim to open it and execute malicious PowerShell code to remove the LONEPAGE malware.
Another series of attacks used a specially crafted ZIP archive that CVE-2023-38831 applies to, and Deep Instinct discovered two such artificial objects created by UAC-0099 on August 5, 2023, three days after WinRAR developers released patch for this bug Two such objects were detected. The way UAC-0099 works is simple but effective. Although the initial infection vector is different, the essence of the infection is the same – creating a scheduled task that executes PowerShell and VBS files.