Unveiling UAC-0099: A Persistent Cyber Threat Targeting Ukraine

layer8 | Dec 28, 2023 min read

A recent investigation by Deep Instinct has thrown the spotlight back onto UAC-0099, a cyber espionage group relentlessly targeting Ukraine since mid-2022. With a keen eye on exploiting vulnerabilities and deploying malware for espionage, UAC-0099’s activities present a clear and present danger to it’s targets.

Who is UAC-0099?

UAC-0099 is a cyber espionage group with a focused agenda of infiltrating Ukrainian targets. Their operations have been notably characterized by the exploitation of a high-severity flaw in WinRAR (CVE-2023-38831) to deliver malware aimed at espionage. The group’s strategic targeting of Ukrainian employees working for companies abroad underlines a methodical approach to compromising individuals and organizations with ties to Ukraine.

The Technical Breakdown of UAC-0099 Attacks

The attacks orchestrated by UAC-0099 are multifaceted and sophisticated, leveraging a mix of technical prowess and social engineering to breach their targets:

  • Exploitation Vector: Central to their strategy is the exploitation of CVE-2023-38831 in WinRAR. This vulnerability allows attackers to execute arbitrary code on a victim’s machine by manipulating how WinRAR processes specially crafted ZIP files.
  • Infection Tactics: Phishing emails with malicious attachments serve as the primary infection vector. These emails often contain ZIP files that, when opened, exploit the WinRAR vulnerability to execute malicious payloads covertly.
  • Malicious Payload Execution: Upon successful exploitation, UAC-0099 deploys PowerShell scripts designed for data exfiltration and system reconnaissance. These scripts run silently in the background, gathering information and sending it back to the attackers.
  • Decoy Documents: To distract victims and lend an air of legitimacy to their phishing attempts, UAC-0099 employs decoy documents, such as fake court summons, that appear innocuous at first glance.
  • Automation and Sophistication: The nearly simultaneous creation of malicious files across different attacks suggests a high degree of automation. This, coupled with the rapid exploitation of new vulnerabilities, underscores the group’s sophisticated capabilities.

Mitigation Strategies

Defending against a threat actor as sophisticated as UAC-0099 requires a comprehensive security strategy:

  • Regular Software Updates: Ensuring that all software, especially WinRAR in this context, is up to date is crucial to mitigating known vulnerabilities.
  • Monitoring and Restricting PowerShell Usage: Given UAC-0099’s reliance on PowerShell scripts, closely monitoring and restricting its usage can help in detecting and preventing malicious activities.
  • Awareness and Training: Educating employees about the dangers of phishing emails and how to recognize them is vital in preventing initial compromises.

Conclusion

UAC-0099’s activities serve as a stark reminder of the persistent threat posed by cyber espionage groups. By understanding their tactics and techniques, organizations can better prepare their defenses against these sophisticated adversaries. Staying informed and vigilant is key to safeguarding against such targeted attacks.