A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.
Newly identified staging infrastructure overlaps with tactics, techniques, and procedures (TTPs) previously attributed to the group and shows that the threat actor continues its attacks on Ukrainian targets likely in support of Russia’s military actions in Ukraine.
UAC-0113 has been linked by the Computer Emergency Response Team of Ukraine (CERT-UA) to the advanced persistent threat (APT) actor Sandworm (also known as Telebots, Iron Viking and Voodoo Bear), which is likely part of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
In June 2022, a CERT-UA report detailed UAC-0113’s use of the DarkCrystal remote access trojan (RAT) to target entities interested in legal matters related to Ukrainian military service personnel.
However, a recently identified malicious ISO file shows that the group has switched to the use of two other malware families, namely Colibri Loader and Warzone RAT. The attackers employ HTML smuggling for malware delivery, Recorded Future says.
DarkCrystal RAT, Colibri Loader, and Warzone RAT are commodity malware families that can be purchased on various underground forums and which are popular among various threat actors, providing them with a broad range of capabilities, including data theft and payload downloading.
After taking a deep dive into domains recently associated with UAC-0113, as well as their connecting IP addresses, Recorded Future identified additional infrastructure used by the threat actor, as well as overlaps with infrastructure previously attributed to the group, including the use of the same LS certificate provider for multiple domains.
Domains identified in July and August 2022 are spoofing telecommunications operators in Ukraine, but also telecoms company Starlink, which is operated by American company SpaceX.
An ISO file contained within the malicious webpage is automatically downloaded onto the visitors’ computers via HTML smuggling. The employed technique and JavaScript code on the page show similarities with APT29 (Cozy Bear), another prolific Russian cyberespionage group.
“It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase,” Recorded Future notes.
Related: More Russian Attacks Against Ukraine Come to Light
Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West
Related: Russian Cyberspies Target Diplomats With New Malware
More from Ionut Arghire
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
- GitHub Suspends Repository Containing Leaked Twitter Source Code
- Google Ventures Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
Latest News
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
- Webinar Tomorrow: Understanding Hidden Third-Party Identity Access Risks
- GitHub Rotates Publicly Exposed RSA SSH Private Key
