ClickCease WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms

by Wajahat Raja

January 4, 2024 - TuxCare expert team

In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In mid-2023, the Ukrainian CERT issued advisory #6710, unmasking a threat actor identified as “UAC-0099.” This actor’s activities and arsenal of tools were succinctly outlined in the advisory. In this blog post, we’ll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE Malware. We’ll also uncover its tactics and the evolving landscape of targeted attacks against Ukrainian firms.


LONEPAGE Malware: UAC-0099’s Continued Assault on Ukraine


Since the publication of CERT-UA’s advisory,
Deep Instinct has uncovered fresh malware attacks orchestrated by UAC-0099, specifically targeting Ukrainian entities. Notably, UAC-0099 employs a cunning strategy, deploying fabricated court summons to lure unsuspecting targets in Ukraine into executing malicious files. Ukrainian firms cybersecurity is a top priority in the ever-evolving digital landscape, necessitating robust strategies to mitigate risks and fortify defenses against emerging cyber threats.


UAC-0099 and WinRAR Exploits


UAC-0099 has been implicated in a series of assaults against Ukraine, leveraging a critical flaw in WinRAR software to propagate the
LONEPAGE malware. According to cybersecurity firm Deep Instinct, this threat actor has set its sights on Ukrainian employees affiliated with international companies.

 

In a detailed analysis, Deep Instinct revealed that UAC-0099’s attack vectors encompass phishing messages housing HTA, RAR, and LNK file attachments. These attachments, when activated, trigger the deployment of LONEPAGE—a Visual Basic Script (VBS) malware. LONEPAGE exhibits the capability to establish communication with a command-and-control (C2) server, fetching additional payloads such as keyloggers, stealers, and screenshot malware.


A Timeline of Intrusion


The origins of UAC-0099 trace back to June 2023, when CERT-UA first documented the threat actor’s activities. The report related to these
cybersecurity trends highlighted UAC-0099’s espionage-driven attacks on state organizations and media entities within Ukraine. Disturbingly, unauthorized remote access to numerous computers in Ukraine occurred during the period from 2022 to 2023. Given this, it can be stated implementing rigorous data security measures is crucial to safeguarding sensitive information.


Diverse Attack Vectors


Deep Instinct’s latest analysis unveils three distinct infection chains employed by UAC-0099. The first involves HTA attachments, while the other two leverage self-extracting (SFX) archives and malicious ZIP files. In the case of ZIP files, UAC-0099 exploits the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to disseminate the
LONEPAGE malware.


Deceptive Tactics


The SFX file harbors an LNK shortcut camouflaged as a DOCX file for a court summons. Utilizing the Microsoft WordPad icon, the threat actor entices victims to open the file, leading to the execution of malicious PowerShell code that drops the LONEPAGE malware.

The second attack sequence involves a meticulously crafted ZIP archive susceptible to CVE-2023-38831. Deep Instinct identified two such artifacts created by UAC-0099 on August 5, 2023—merely three days after WinRAR released a patch for the vulnerability. Despite distinct initial infection vectors, the core infection method remains consistent, relying on PowerShell and the creation of a scheduled task executing a VBS file.


Cyber Threat Landscape: A New Wave


Coinciding with these revelations, CERT-UA issued a warning about a fresh wave of phishing messages masquerading as outstanding Kyivstar dues. These messages aim to propagate a remote access trojan known as Remcos RAT, with the campaign attributed to UAC-0050.
WinRAR vulnerabilities pose a significant cybersecurity risk, emphasising the importance of prompt patching and proactive measures to secure systems and protect against potential exploits.


Conclusion


The landscape of
cyber threats 2023 is dynamic, and UAC-0099’s activities underscore the need for unwavering vigilance. Understanding their tactics and the vulnerabilities they exploit is crucial for bolstering defenses. Organizations, especially those with ties to Ukraine, should prioritize cybersecurity measures to thwart evolving Ukrainian cybersecurity incidents and ensure the safety of their digital infrastructure. As the cybersecurity landscape evolves, staying informed and ensuring cybersecurity best practices remain the key to safeguarding against such insidious threats.

 

The sources for this piece include articles in The Hacker News and Deep Instinct

 

Summary
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
Article Name
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
Description
Discover the latest on LONEPAGE malware targeting Ukrainian firms through WinRAR exploits. Stay informed on cybersecurity threats!
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!