New Cybersecurity Threats: UAC-0099 Group Intensifies Attacks
The National Cyber Incident Response Team, CERT-UA, has identified a new wave of cyberattacks targeting government institutions and defense sector enterprises in Ukraine.
According to the State Special Communications Service, the recent attacks are linked to the UAC-0099 group, which has significantly updated its toolkit, introducing new malware such as MATCHBOIL, MATCHWOK, and DRAGSTARE. The attackers employ a sophisticated strategy aimed at data theft and gaining remote control over systems.
The attacks begin with the distribution of phishing emails, often disguised as official documents, such as "court summons." These emails contain links to legitimate file-sharing services, leading victims to download a ZIP archive containing a malicious HTA file. This marks the first stage of the attack.
Executing the HTA file triggers VBScript that creates two files on the victim's computer: one with HEX-encoded data and another with PowerShell code. A scheduled task is created to ensure the execution of this code. The next step involves the PowerShell script decoding the data to produce an executable loader file, MATCHBOIL, which is established in the system through its own scheduled task.
The primary targets of the group are Ukrainian government bodies, defense forces, and enterprises operating in the defense industrial complex.
CERT-UA's investigation has revealed three new samples of malware, indicating an evolution in the group's tactics.
MATCHBOIL (Loader) is designed to deliver the primary malicious payload to the infected computer. It collects basic system information (processor ID, BIOS serial number, username, MAC address) for victim identification on the command server. Subsequently, it downloads the next attack component and creates a registry key for automatic launching.
MATCHWOK (Backdoor) allows attackers to execute arbitrary PowerShell commands remotely on the infected system. Commands are sent from the command server in an encrypted format and executed via a renamed PowerShell interpreter. The backdoor incorporates anti-analysis features, checking for running processes associated with tools like Wireshark.
DRAGSTARE (Data Stealer) performs comprehensive data collection and steals system information, browser data (logins, passwords, cookies), and files from the desktop and documents with specific extensions.
RECOMMENDATIONS FROM CERT-UA
To counter these threats, the following measures should be taken:
- Enhance control over incoming correspondence. Train employees to identify phishing emails.
- Limit script execution by configuring security policies to block HTA files.
- Implement endpoint monitoring to track new scheduled tasks.
- Ensure network perimeter protection using modern IDS/IPS systems.
- Regularly update software to protect against known vulnerabilities.
