A Russian-backed cybercriminal group, UAC-0113, has been impersonating telco providers to target Ukrainian organisations, especially telecommunication firms.
The objective of the attack is to distribute the Warzone RAT and Colibri Loader on every Ukrainian system that is essential to the country’s function. According to researchers, there has been a cyberespionage campaign based on a command-and-control infrastructure. The espionage attack has been active since last month.
In addition, the recently discovered attacks from UAC-0113 push numerous dynamic DNS domains that behave like a Ukrainian telecom provider. Ukraine’s governmental cybersecurity agency has also concluded that the recent operation of the Russian-state-sponsored group can also be attributed to the Sandworm group.
The government claimed that both groups work hand in hand in targeting their important sectors to put more pressure on this geopolitical conflict.
UAC-0113 group’s methods overlap with Sandworm.
Most UAC-0113 group’s domains resolve to new IP addresses, but similarities are seen in some instances with previous Sandworm attacks a couple of months ago.
CERT-UA explained that the threat actors utilised domains that pretended to be owned by the Ukrainian-based telecommunication firms. They have proven this theory after several companies such as EuroTransTelecom, Kyivstar, and Datagroup denied that they own the malicious domains.
Threat analysis showed that hackers initiated the onslaught by deceiving potential targets into visiting the spoofed domains. The threat actors made it possible by convincing their prey that they are from a telecom provider.
To make the lure more convincing, the threat actors have written it in Ukrainian and discussed military operations and notices. The most common topic included in the lure is the Odesa Regional Military Administration.
The HTML contained a base64 ISO file, automatically downloaded when a website is accessed via HTML smuggling. The payload used by the actors included in the file is Warzone RAT. This remote access trojan was developed half a decade ago and has become well known.
Russian-backed hacker has been attacking Ukraine non-stop since the start of the year. Furthermore, these actors have been abusing different malware to create confusion among researchers. As of now, Ukrainian entities should follow what the CERT-UA has advised on how to defend against cyberattacks.
