UAC-0099's Persistent Cyber Campaigns Target Ukrainians Abroad

Deep Instinct Threat Labs has reported ongoing cyber threat campaigns by the group known as UAC-0099. Active since mid-2022, this group has recently targeted Ukrainian individuals working for foreign companies. As of April 2023, UAC-0099 employed a variety of infection methods with significant tactical overlap. Deep Instinct identified that regardless of the infection vector, "the core infection is the same" as the threat group relies "on PowerShell and the creation of a scheduled task that executes a VBS file." UAC-0099 consistently utilized PowerShell for core infections, underpinned by creating scheduled tasks to execute VBScript files. These attacks aim to infiltrate a system and exfiltrate data.

The first documented infection vector employed by "UAC-0099" is observed to be centered on a combination of WinRAR with a self-extracting archive (SFX) and a shortcut LNK file. This infection vector was observed in early August and involved a deceptive email masquerading as a court summons from the Lviv city court. Attached to the email is an executable file created by WinRAR, appearing as a regular document but functioning as a malicious shortcut (LNK file). This LNK file triggers a PowerShell script that, in turn, decodes and executes additional scripts. These scripts establish a scheduled task to run a VBScript file periodically, which communicates with a C2 server, sending collected data and receiving further instructions.

In contrast, the second attack method uses an HTML Application (HTA) file that includes HTML code containing a VBScript. This script activates PowerShell commands and creates a scheduled task with a different frequency compared to the LNK method. The HTA file also uses a DOCX file as a decoy, similar to the court summons theme observed in the LNK attack.

The most notable and potentially damaging vector is the exploitation of the CVE-2023-38831 vulnerability in WinRAR, utilized by UAC-0099 as early as April 2023. This approach involves crafting a ZIP file with a misleading filename that leads users to unwittingly execute a CMD file. The exploitation of this vulnerability demonstrates UAC-0099’s ability to exploit software vulnerabilities to gain access to target systems.

All these methods display a consistent theme: the use of court summons documents as decoys, regardless of the attack vector. This consistency in theme and attack techniques indicates a well-planned and targeted approach by UAC-0099 to deceive their intended victims. The group's operations, especially their reliance on PowerShell and VBScript, demonstrate consistent attack behaviors for threat detection.