WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In mid-2023, the Ukrainian CERT issued advisory #6710, unmasking a threat actor identified as “UAC-0099.” This actor’s activities and arsenal of tools were succinctly outlined in the advisory. In this blog post, we’ll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE Malware. We’ll also uncover its tactics and the evolving landscape of targeted attacks against Ukrainian firms.
LONEPAGE Malware: UAC-0099’s Continued Assault on Ukraine
Since the publication of CERT-UA’s advisory, Deep Instinct has uncovered fresh malware attacks orchestrated by UAC-0099, specifically targeting Ukrainian entities. Notably, UAC-0099 employs a cunning strategy, deploying fabricated court summons to lure unsuspecting targets in Ukraine into executing malicious files. Ukrainian firms cybersecurity is a top priority in the ever-evolving digital landscape, necessitating robust strategies to mitigate risks and fortify defenses against emerging cyber threats.
UAC-0099 and WinRAR Exploits
UAC-0099 has been implicated in a series of assaults against Ukraine, leveraging a critical flaw in WinRAR software to propagate the LONEPAGE malware. According to cybersecurity firm Deep Instinct, this threat actor has set its sights on Ukrainian employees affiliated with international companies.
In a detailed analysis, Deep Instinct revealed that UAC-0099’s attack vectors encompass phishing messages housing HTA, RAR, and LNK file attachments. These attachments, when activated, trigger the deployment of LONEPAGE—a Visual Basic Script (VBS) malware. LONEPAGE exhibits the capability to establish communication with a command-and-control (C2) server, fetching additional payloads such as keyloggers, stealers, and screenshot malware.
A Timeline of Intrusion
The origins of UAC-0099 trace back to June 2023, when CERT-UA first documented the threat actor’s activities. The report related to these cybersecurity trends highlighted UAC-0099’s espionage-driven attacks on state organizations and media entities within Ukraine. Disturbingly, unauthorized remote access to numerous computers in Ukraine occurred during the period from 2022 to 2023. Given this, it can be stated implementing rigorous data security measures is crucial to safeguarding sensitive information.
Diverse Attack Vectors
Deep Instinct’s latest analysis unveils three distinct infection chains employed by UAC-0099. The first involves HTA attachments, while the other two leverage self-extracting (SFX) archives and malicious ZIP files. In the case of ZIP files, UAC-0099 exploits the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to disseminate the LONEPAGE malware.
Deceptive Tactics
The SFX file harbors an LNK shortcut camouflaged as a DOCX file for a court summons. Utilizing the Microsoft WordPad icon, the threat actor entices victims to open the file, leading to the execution of malicious PowerShell code that drops the LONEPAGE malware.
The second attack sequence involves a meticulously crafted ZIP archive susceptible to CVE-2023-38831. Deep Instinct identified two such artifacts created by UAC-0099 on August 5, 2023—merely three days after WinRAR released a patch for the vulnerability. Despite distinct initial infection vectors, the core infection method remains consistent, relying on PowerShell and the creation of a scheduled task executing a VBS file.
Cyber Threat Landscape: A New Wave
Coinciding with these revelations, CERT-UA issued a warning about a fresh wave of phishing messages masquerading as outstanding Kyivstar dues. These messages aim to propagate a remote access trojan known as Remcos RAT, with the campaign attributed to UAC-0050. WinRAR vulnerabilities pose a significant cybersecurity risk, emphasising the importance of prompt patching and proactive measures to secure systems and protect against potential exploits.
Conclusion
The landscape of cyber threats 2023 is dynamic, and UAC-0099’s activities underscore the need for unwavering vigilance. Understanding their tactics and the vulnerabilities they exploit is crucial for bolstering defenses. Organizations, especially those with ties to Ukraine, should prioritize cybersecurity measures to thwart evolving Ukrainian cybersecurity incidents and ensure the safety of their digital infrastructure. As the cybersecurity landscape evolves, staying informed and ensuring cybersecurity best practices remain the key to safeguarding against such insidious threats.
The sources for this piece include articles in The Hacker News and Deep Instinct.