The threat actor identified as UAC-0099 has intensified its campaign targeting Ukraine, utilizing a critical vulnerability in the WinRAR software to distribute the malware variant known as LONEPAGE. This method highlights a significant shift in tactics, emphasizing the exploitation of existing software vulnerabilities to facilitate attacks.
According to cybersecurity firm Deep Instinct, “The threat actor focuses on Ukrainian personnel employed by organizations outside the country.” This strategy illustrates a broader trend where attackers aim for vulnerable individuals rather than institutions directly.
UAC-0099 was first documented in June 2023 by Ukraine’s Computer Emergency Response Team (CERT-UA). The group has been linked to a series of espionage-driven attacks targeting state institutions and media organizations.
The attacking mechanisms employed include phishing messages with HTA, RAR, and LNK file attachments, which initiate the LONEPAGE deployment. This malware, written in Visual Basic Script (VBS), is engineered to establish contact with a command-and-control (C2) server, enabling the retrieval of additional malicious payloads that could include keyloggers and other forms of spyware.
Between 2022 and 2023, CERT-UA reported that UAC-0099 gained unauthorized access to numerous computers within Ukraine, underscoring the scale and impact of their operations.
Recent analytics from Deep Instinct indicate that HTA attachments represent just one of multiple infection vectors. The other two include self-extracting (SFX) archives and compromised ZIP files, which take advantage of a known WinRAR vulnerability (CVE-2023-38831, with a CVSS score of 7.8) to disseminate LONEPAGE.
In one variant, the SFX file conceals an LNK shortcut disguised as a DOCX file for a court summons. This tactic aims to lure victims into execution, deploying malicious PowerShell code that installs LONEPAGE malware effectively. Another infection method employs a specifically crafted ZIP archive vulnerable to CVE-2023-38831, with Deep Instinct noting at least two instances created by UAC-0099 shortly after a patch was released for the vulnerability.
Deep Instinct summarizes the operational tactics of UAC-0099 as notably simple yet effective. Regardless of the varying initial vectors used to gain access, the main technique involves PowerShell and the establishment of scheduled tasks to execute VBS files, underscoring a consistent methodology.
This development coincides with CERT-UA’s recent warnings about a surge in phishing messages masquerading as unpaid dues from Kyivstar, disseminating the Remcos Remote Access Trojan (RAT). This campaign has been attributed to another threat actor, UAC-0050.
