The advanced permanent threat (APT) group known as UAC-0063 invades one victim and attacks another target with the aim of distributing a known malware. It is observed to use the obtained legal documents.
“This study focuses on completing photos of the UAC-0063 business. Especially for entities in multiple European embassies, including Germany, the United Kingdom, the Netherlands, Romania, and Georgia. “Bitdefender’s technical solution director is a report shared with Hacker News.
UAC-0063 first flags in Romanian cyber security companies in May 2023, and in relation to campaign targeting government agencies in Central Asian, DOWNEX (also known as STILLARCE) Data Extraction Malware Malware Malware. Was used. It is suspected to share a link with an actor sponsored by a known Russian country called APT28.
Just a few weeks later, Ukraine’s computer emergency response team (CERT-UA) assigned monica to threat cluster, but the hacking group has been operated at least since 2021, and the national government of the national government in key logger (logpy). I revealed that I was attacking. , HTML application script loader (HATVIBE), Python backdoor (Cherry or DownExpyer), and Downex.
According to the Recorded Future Insikt Group, UAC-0063 is targeting various government institutions and educational institutions in Central Asia, East Asia, and Europe.
Earlier this month, Cyber Security Company SEKOIA has identified a campaign conducted by a hacking crew, which provides hatbeave malware, using a document stolen from the Republic of Kazakhstan to the target of a spear. Was revealed.
The latest survey from bitdefender indicates the continuation of this movement, and the invasion is ultimately Downex, DownExpyer, and at least one incident that targets German companies in the middle of 2023. It is called a newly discovered USB data code name.
DownExpyer is equipped with various functions for maintaining permanent connections with remote servers, collecting data, running commands, and receiving commands to develop additional payloads. The list of tasks obtained from the command and control (C2) server is as follows –
A3- File to match a specific extended set to C2 A4-exclude files and key stroke logs to C2 and delete the A5-command (by default, the “Systeminfo” function to harvest system information. Called) List the A6-file. System A7 -Screenshot A11 -Ends another execution task
“The stability of the DownExpyer core function in the past two years is an important indicator of the UAC-0063 Arsenal and many years of being,” Zugec explained. “This observed stability suggests that DownExpyer has already worked before 2022 and is likely to be sophisticated.”
BitDefender has identified the Python script designed to record Keystrokes (probably the predecessor of Logpie) in one of the compromised machines infected with Downex, DownExpyer, and Hatvibe.
“The UAC-0063 is an example of a sophisticated threat actor group, which is characterized by advanced abilities and the permanent targeting of government agencies,” says Zugec.
“Their Arsenal, which is characterized by sophisticated implants such as DownExpyer and PyPlunderplug, is combined with well -made TTP and clearly focuses on spy activities and Intelligence.
Source link
