The notorious UAC-0099 cybercriminal group is infecting Ukrainian entities with the LONEPAGE malware. These campaigns exploit a critical flaw in the widely used WinRAR software, emphasising the evolving tactics employed by cybercriminals.
Based on reports, UAC-0099’s modus operandi specifically targets Ukrainian employees working for companies outside of Ukraine. CERT-UA initially documented the campaign and shed light on UAC-0099’s espionage-driven operations against state organisations and media entities.
The attack vectors employed by UAC-0099 are diverse. One of their most common attack methods uses phishing messages containing HTML Application (HTA), RAR, and LNK file attachments. These attachments host the attackers’ malicious payload called LONEPAGE.
The LONEPAGE malware is a VBS payload that has various capabilities.
The LONEPAGE malware is a Visual Basic Script (VBS) payload that could communicate with an attacker-controlled command-and-control server to fetch additional payloads, including keyloggers, stealers, and screenshot malware.
Further analysis of the group’s activity showed that they utilise three distinct infection chains. In addition to HTA attachments, the threat actor leverages self-extracting (SFX) archives and booby-trapped ZIP files. The latter technique exploits the recently disclosed WinRAR vulnerability (CVE-2023-38831) to propagate LONEPAGE.
The primary infection chain remains consistent despite the diversity in initial infection vectors. The infection process heavily relies on PowerShell and the generation of a scheduled task for executing a VBS file. CERT-UA also reported that the attackers used unauthorised remote access to numerous computers in Ukraine during 2022-2023, highlighting the severity and persistence of the threat.
Furthermore, another analysis indicates that UAC-0099 continued its operations even after WinRAR released a fix that addressed the critical vulnerability. The attackers also demonstrated adaptability by employing SFX files that pose as DOCX court summons, enticing victims with the familiar Microsoft WordPad icon.
This alarming incident overlaps with CERT-UA’s warning of a new phishing message falsely claiming outstanding Kyivstar dues. These messages aim to propagate a remote access trojan known as Remcos RAT, with the agency attributing the campaign to UAC-0050.
This new UAC-0099 campaign reminds organisations to employ heightened vigilance and proactive measures to protect their infrastructure against sophisticated and persistent cyber threats.
