Massive UAC-0218 phishing campaign targets Ukrainian citizens

October 29, 2024
UAC-0218 Ukraine Europe Infostealer Malware Phishing Campaign Cybercrime

The Ukrainian government warns its citizens about a UAC-0218 phishing operation that primarily aims to harvest critical personal data.

Based on reports, the threat actors leverage phishing links that appear to be bills or payment details, resulting in the download of infostealing malware. Once downloaded, this script scans the victim’s device for documents in various formats before sending them to the attackers’ servers.

This strategy allows the threat actor to steal sensitive personal and financial information for use in theft or blackmail. This campaign has been ongoing since August 2024, based on domain name registration records.

However, CERT-UA has yet to reveal further information about the attackers’ identity or whether they target specific groups of people.

 

The UAC-0218 phishing campaign uses a subject line called “account details” to lure targets.

 

The UAC-0218 phishing emails include the subject line “account details” and a link to an eDisk file that downloads RAR archives of the same name. In addition, the archives include two password-protected fake documents titled and VBS script.

Once a target selects one of the two password-protected files, the VBS script executes computer code that allows for a recursive search for several file types across five directories from the % USERPROFILE% folder.

Subsequently, the malware will exfiltrate any files smaller than 10MB to an attacker-controlled server via the HTTP PUT method. This process adds a new resource or substitutes an existing one on a web server.

Furthermore, CERT-UA’s assessment of the attack also revealed an executable file on one of the victims’ workstations, including a one-line PowerShell command. This file implements a similar functionality for recursive search in the%USERPROFILE% directory of files by extension and subsequent transfer to the management server using the HTTP protocol’s POST method.

The Ukrainian government agency noted the attackers’ management infrastructure elements, including the domain name registrar HostZealot and the use of Python to create a web server. Currently, Ukrainians should be wary of these phishing emails as they are the primary focus of this widespread infostealing campaign.

Ukrainians should refrain from opening files from unsolicited emails, particularly those with suspicious subject lines that have little impact on their day-to-day activities.

About the author

Leave a Reply