A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.
Newly identified staging infrastructure overlaps with tactics, techniques, and procedures (TTPs) previously attributed to the group and shows that the threat actor continues its attacks on Ukrainian targets likely in support of Russia’s military actions in Ukraine.
UAC-0113 has been linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to the advanced persistent threat (APT) actor Sandworm (also known as Telebots, Iron Viking and Voodoo Bear), which is likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
In June 2022, a CERT-UA report detailed UAC-0113’s use of the DarkCrystal remote access trojan (RAT) to target entities interested in legal matters related to Ukrainian military service personnel.
However, a recently identified malicious ISO file shows that the group has switched to the use of two other malware families, namely Colibri Loader and Warzone RAT. The attackers employ HTML smuggling for malware delivery, Recorded Future says.
DarkCrystal RAT, Colibri Loader, and Warzone RAT are commodity malware families that can be purchased on various underground forums and which are popular among various threat actors, providing them with a broad range of capabilities, including data theft and payload downloading.
After taking a deep dive into domains recently associated with UAC-0113, as well as their connecting IP addresses, Recorded Future identified additional infrastructure used by the threat actor, as well as overlaps with infrastructure previously attributed to the group, including the use of the same LS certificate provider for multiple domains.
Domains identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX.
“It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase,” Recorded Future notes.