UAC-0099 Targets Ukrainian Companies With Lonepage Malware – Gridinsoft Blog

/in


Ukrainian cyberwarfare sees further action as the UAC-0099 threat actor escalates its cyber espionage campaign against Ukrainian firms. Leveraging a severe vulnerability in the popular WinRAR software, the group orchestrates sophisticated attacks to deploy the Lonepage malware, a VBS malware capable of remote command execution and data theft.

UAC-0099 Exploits WinRar Vulnerability

In most recent attacks, UAC-0099’s focus on exploiting the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) signifies a sophisticated approach to cyberattacks. This high-severity flaw in WinRAR, a widely used file compression tool, opens a backdoor for attackers to inject malicious code into unsuspecting systems. Also, the exploit involves the use of rigged self-extracting (SFX) archives and specially crafted ZIP files, designed to bypass traditional security measures and deliver the Lonepage malware directly into the heart of target systems.

Attack Vectors Using WinRAR:

  1. Self-Extracting Archives Deception: Attackers distribute SFX files, which house malicious LNK shortcuts camouflaged as innocuous DOCX documents. These files, using familiar icons like Microsoft WordPad, entice victims into unwittingly executing malicious PowerShell scripts that install Lonepage.
  2. Manipulated ZIP Files: UAC-0099 also employs ZIP archives specifically crafted to exploit the WinRAR flaw. These files are engineered to trigger the vulnerability, illustrating the group’s adeptness at leveraging software weaknesses to their advantage.
WinRar Vulnerability
WinRAR vulnerability chain

What is UAC-0099?

The UAC-0099 group, first identified by Ukraine’s Computer Emergency Response Team (CERT-UA) in June 2023, primarily targets Ukrainian employees working for international companies. Their tactics, while not technologically groundbreaking, prove effective in compromising critical information from a wide range of state organizations and media entities. Deep Instinct’s recent analysis reveals a disturbing trend: the group’s consistent focus on espionage, endangering not just the organizations, but also the individuals involved.

What is Lonepage Malware?

Lonepage Malware is a sophisticated Visual Basic Script (VBS) based malware used by…

Source…