Ethical Hacking News
A new cyberattack campaign targeting Ukraine using the CABINETRAT backdoor has been discovered by CERT-UA. The attackers employed malicious Excel XLL add-ins to spread their payload, which was then used to gather OS and installed-program data, run commands, and exfiltrate sensitive information. This report provides a comprehensive analysis of the attack vector used by UAC-0245, highlighting the novelty of tactics, techniques, and procedures employed by this group.
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a new cyberattack campaign targeting Ukraine using the CABINETRAT backdoor. The attack campaign, attributed to the group UAC-0245, used malicious Excel XLL add-ins to spread their payload. The attackers disguised the malicious file as a border detention document in Ukraine and distributed it via Signal. The XLL payload gathered OS and installed-program data, ran commands, and exfiltrated sensitive information. The attack highlights the novelty of tactics, techniques, and procedures used by UAC-0245. CERT-UA has created a separate identifier to track this activity, ensuring proper attribution and analysis.
CERT-UA, the Computer Emergency Response Team of Ukraine, has issued a warning about a new cyberattack campaign targeting Ukraine using the CABINETRAT backdoor. The campaign, attributed to the group UAC-0245, has been observed in September 2025, and the CERT-UA report provides a detailed analysis of the attack vector used by this group.
According to the report, the attackers employed malicious Excel XLL add-ins, posing as software tools, to spread their payload. These add-ins were executable (PE, Portable excutable) files that could be loaded by the Excel Add-in Manager using a specific procedure (exported function) called "xlAutoOpen". The malicious file was titled "500.zip" and was distributed via Signal, disguising it as a border detention document in Ukraine.
Once the victim opened the file, it would drop an EXE in the Startup folder, an XLL named "BasicExcelMath.xll" in %APPDATA%, and a PNG called "Office.png". The XLL payload and its shellcode included anti-analysis checks to evade detection. These checks verified the presence of at least two CPU cores and 3GB RAM, as well as virtualization platforms (VMware, VirtualBox, Xen, QEMU, Parallels, Hyper-V), to avoid detection. Additionally, they checked if the user SID did not end with "500" and if the PEB debug flag was present.
The XLL payload and its shellcode also included a malicious code that gathered OS and installed-program data, ran commands, handled files, took screenshots, and connected to a C2 over TCP. The main message types used by this malware included:
* Handshake („Ninja“ server replies „Bonjour“)
* Run a program and send results
* Send command output
* Send a requested file to the server (exfiltrate)
* Receive and save a file from the server
* Send BIOS GUIDs after handshake
* Send OS version info (from Windows registry)
* Report connected disks
* List installed programs (registry uninstall keys)
* List directory contents (path + search mask)
* Take and send a screenshot
* Send an error code
* Delete a file or folder
The CABINETRAT backdoor is a C-written shellcode tool that provides various functionalities, including data exfiltration, command execution, and OS information gathering. It uses compression with MSZIP and splits the message if it exceeds a certain size.
The CERT-UA report emphasizes that this attack campaign, attributed to UAC-0245, highlights the novelty of tactics, techniques, and procedures used by this group. Given the unique characteristics of the attack vector employed by UAC-0245, a separate identifier has been created to track this activity, ensuring proper attribution and analysis.
The incident serves as a reminder of the ongoing threats posed by cyberattacks in Ukraine and the importance of vigilance for cybersecurity teams. The CERT-UA report provides valuable insights into the tactics, techniques, and procedures used by UAC-0245, allowing cybersecurity professionals to enhance their defenses against similar attacks.
In conclusion, the CABINETRAT backdoor campaign, attributed to UAC-0245, demonstrates the evolving nature of cyber threats and the importance of continuous monitoring and analysis. By understanding the attack vector employed by this group, cybersecurity teams can improve their defenses and prevent similar incidents in the future.
A new cyberattack campaign targeting Ukraine using the CABINETRAT backdoor has been discovered by CERT-UA. The attackers employed malicious Excel XLL add-ins to spread their payload, which was then used to gather OS and installed-program data, run commands, and exfiltrate sensitive information. This report provides a comprehensive analysis of the attack vector used by UAC-0245, highlighting the novelty of tactics, techniques, and procedures employed by this group.
Related Information:
https://www.ethicalhackingnews.com/articles/CERT-UA-Warns-UAC-0245-Targets-Ukraine-with-CABINETRAT-Backdoor-A-Comprehensive-Analysis-ehn.shtml
https://securityaffairs.com/182862/cyber-warfare-2/cert-ua-warns-uac-0245-targets-ukraine-with-cabinetrat-backdoor.html
https://threatnote.com/infosec-news/from-the-hacker-news-cert-ua-warns-of-phishing-attacks-targeting-ukraines-defense-and-security-force/
https://thehackernews.com/2025/10/ukraine-warns-of-cabinetrat-backdoor.html
Published: Thu Oct 2 16:26:28 2025 by llama3.2 3B Q4_K_M
