Ethical Hacking News
CERT-UA, the national cyber security agency of Ukraine, has warned about a series of sophisticated phishing attacks targeting the country's defense sector by UAC-0099. These attacks use malicious HTA files attached to phishing emails that appear to be court summons, and have been linked to several high-profile cyber espionage operations against Ukrainian government agencies and private companies.
CERT-UA warns of sophisticated phishing attacks targeting Ukraine's defense sector by UAC-0099. The attackers use malicious HTA files attached to phishing emails that run obfuscated VBScript code and deploy additional malware like MATCHWOK backdoor and DRAGSTARE stealer. Threat actor uses MATCHBOIL loader to fetch and run payloads, gathering system data and combining it with HTTP headers for C2 communication. MATCHWOK is a C#-based backdoor that executes PowerShell commands by compiling .NET code at runtime. DRAGSTARE is a C# stealer that gathers system info, browser data, and specific files from common folders for exfiltration. UAC-0099 has targeted Ukraine since mid-2022, with evolving tactics and techniques making it essential for organizations to remain vigilant and implement robust security measures.
CERT-UA, the national cyber security agency of Ukraine, has issued a warning about a series of sophisticated phishing attacks targeting the country's defense sector. The threat actor behind these attacks is known as UAC-0099, and it has been responsible for several high-profile cyber espionage operations against Ukrainian government agencies and private companies.
The latest attack, which began in mid-2022, involves the use of malicious HTA files attached to phishing emails that appear to be court summons. The emails are sent via UKR.NET and contain links to legitimate file services hosting a double archive with an HTA file. When opened, the HTA runs obfuscated VBScript code that drops files and creates a scheduled task to execute PowerShell code.
This code decodes HEX data, writes it to a file, renames it to "AnimalUpdate.exe," and sets it to run regularly, activating the MATCHBOIL loader. Attackers were also spotted deploying additional malware like the MATCHWOK backdoor and DRAGSTARE stealer. The researchers highlight the evolving tactics of the threat actors that demonstrate their persistence and sophistication.
The attackers use a C#-based loader called MATCHBOIL to fetch and run additional payloads. It gathers system data, such as CPU ID, BIOS serial, username, and MAC address, which is combined and used in HTTP headers during communication with its C2 server. The malware downloads payloads hidden in image-like URIs, decodes them from HEX and BASE64, and saves them as ".com" files.
The malware MATCHWOK used by the threat actor is a C#-based backdoor that executes PowerShell commands by compiling .NET code at runtime, often using a renamed PowerShell executable. Command results are saved to a temp file and sent via HTTPS to a server whose address is read from a local config file. Commands are AES-256 encrypted and hidden in
