UAC-0063 Targeted Ukraine Government for Cyber Espionage

A cyber espionage campaign is revealed by Ukraine's computer emergency response team, CERT-UA to have targeted a Ukrainian government agency with the goal of intelligence collection. The threat group is tracked as UAC-0063 and identified in CERT-UA's advisory to have an interest in targeting organizations located in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Their latest campaign took place between April 18th and April 20th, 2023, initiated through the distribution of phishing emails containing a macro-enabled Word document against a Ukrainian government agency. Three malware samples were found to have been dropped in the campaign, one a keylogger named LOGPIE, CHERRYSPY a python-backdoor and STILLARCH a data search and exfiltration tool. Not much is known about the threat group, including its origins. However, CERT-UA has been tracking the group since 2021, and attributes all of their activity to be focused on cyber espionage. CERT-UA advises organizations to monitor and restrict the usage of living-off-the-land binaries such as mshta.exe, wscript.exe, and cscript.exe, as well as any suspicious utilization of Python.