The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of cyberattacks carried out by threat actors called UAC-0099, targeting domestic government agencies, defense forces and businesses in the Defense Industrial Parks.
Attacks that use phishing email as an initial compromise vector are used to provide malware families such as MatchBoil, MatchWok, and Dragstare.
UAC-0099 was first published by its agency in June 2023 and has a history of targeting Ukrainian entities for espionage purposes. Previous attacks have been observed that leverage security flaws in Winrar software (CVE-2023-38831, CVSS score: 7.8) to propagate malware called LonePage.
The latest infectious disease chains use email lures related to court summoning to seduce recipients to click on a link that is shortened using URL shortening services like Cuttly. These links are sent via the ukr.net email address and refer to a double archive file containing HTML application (HTA) files.
Running the HTA payload triggers the launch of obfuscated Visual Basic Script files that run a loader called MatchBoil, a C#-based program designed to create scheduled tasks for continuation and ultimately drop additional malware on the host.
This includes a backdoor called Matchwok and a steeler named Dragstare. Additionally, MatchWok written using the C# programming language can run PowerShell commands and pass the results of the execution to a remote server.
Meanwhile, Dragstare is equipped to match the “.txt “, ” .ovpn “) in a particular list of system information, data from web browsers, and extensions (“.docx”, “.doc”, “.xls”, “.txt”, “.ovpn”, “.rdp”, “.txt”, “.pdf”). PowerShell commands received from servers controlled by the attacker.
The disclosure details the use of six new malware tools designed for stealth, persistence and lateral movement, just over a month after ESET published a detailed report cataloguing Gamallen’s “relentless” spearfussing attacks on Ukrainian entities in 2024 –
Pterodespair, a Powershell reconnaissance tool that collects diagnostic data for malwells of previously deployed malware, Pterotickle, and PowerShell weapons devices targeting Python applications that have been converted to executables on fixed and removable drives, promote lateral movement by injecting code that is likely to be using Pteropsographin using Pteropsographin. Create an encrypted communication channel for scheduled tasks and payload delivery via the Telegraph API Pterostew, a VBScript downloader similar to Pterosand and Pterorisk. powershell file steeler is similar to pteropsdoor, but similar to stolen files stolen by dropbox
“The activity of Gammerderson’s spears increased significantly in the second half of 2024,” said security researcher Zoltan Rusnak. “The campaign usually lasted 1-5 days in a row, with emails containing malicious archives (RAR, ZIP, 7Z) or XHTML files employing HTML smuggling technology.”
Attacks often result in the delivery of malicious HTA or LNK files that run embedded VBScript downloaders such as Pteropsdoor, Pterolnk, Pterovdoor, and Pteropsload, as well as malicious HTA or LNK files that run embedded VBScript downloaders such as Pterosand.
Other notable aspects of threat actor merchants alongside Russia include the use of first-flux DNS technology and their reliance on legitimate third-party services such as Telegram, Telegraph, Codeberg, and Cloudflare tunnels.
“Despite its limitations on observable capabilities and abandoning old tools, Gameardon remains a key threat actor thanks to its continued innovation, aggressive spinning campaigns and ongoing efforts to avoid detection,” ESET said.
Source link
