Bitdefender’s latest research highlights an active cyberespionage campaign attributed to the Russian-linked group UAC-0063, which has been operating since at least 2021. This threat actor is specifically targeting high-value entities in Central Asia and several European countries, including Germany, the UK, Romania, and the Netherlands, using a multi-layered attack strategy that incorporates advanced malware and weaponized documents.
The campaign is marked by a persistent focus on infiltrating organizations such as government agencies, diplomatic missions, and private companies. UAC-0063 employs malicious Microsoft Word documents as the entry point for their attacks, utilizing macros that, once enabled by the user, trigger the download of malicious software. Central to their operations is the HATVIBE malware loader, which subsequently retrieves additional malicious code from the attackers’ command-and-control (C2) server.
Once the initial infection occurs, a Python-based malware called DownExPyer comes into play. This component establishes an ongoing communication link with the C2 server, allowing attackers to receive commands and perform a range of malicious activities on the compromised system. Moreover, the attackers use a script known as PyPlunderPlug to systematically gather files from removable drives connected to the affected devices, highlighting their intent to collect sensitive information.
In tandem with their data collection methods, UAC-0063 integrates keyloggers into their arsenal, designed to capture every keystroke entered by the victim. This malicious approach seeks to uncover sensitive credentials, including passwords. The data exfiltration process is made more efficient as the stolen information is compressed into smaller archives, minimizing the chance of detection as it is transferred from the hacked network.
One notable strategy employed by UAC-0063 involves leveraging previously compromised victims to extend their reach. The threat actors recycle weaponized documents from one victim to launch new attacks, effectively using their existing access to spread further infections. Additionally, they create scheduled tasks within the compromised systems to ensure that their malicious software continues to run seamlessly, executing commands at predetermined intervals.
Research conducted by Bitdefender suggests potential ties between the operations of UAC-0063 and Russian state interests. The use of sophisticated threats such as DownExPyer and PyPlunderPlug, combined with adept tactics and techniques, underscores a clear objective focused on espionage and intelligence collection.
To combat the risks posed by groups like UAC-0063, organizations are advised to bolster their cybersecurity defenses through enhanced threat intelligence measures. Continuous monitoring of threat feeds, tracking known C2 domains, and implementing DNS-based blocking strategies are essential steps in preventing unauthorized access. In addition, adopting application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) can effectively safeguard networks and endpoints against advanced cyber threats.
This incident reflects a concerning trend in cyber espionage, where advanced tactics and persistent threats pose significant challenges for businesses and governmental entities alike. As organizations navigate an ever-evolving threat landscape, understanding these tactics, particularly as outlined in the MITRE ATT&CK framework, will be crucial for strengthening their cybersecurity posture.
