On August 30 and 31, 2022, CERT-UA revealed a burst of adversary activity massively distributing phishing emails among Ukrainian, Austrian, and German organizations. According to the corresponding CERT-UA#5252 alert, hackers exploit the email attachment vector spreading the notorious AgentTesla info-stealing malware. The malicious activity can be attributed to the behavior patterns of the hacking collective tracked as UAC-0120.
Since the world entered the global cyber war when russia launched its major invasion of Ukraine, russia-linked hacking collectives escalated their malicious activity by launching cyberespionage campaigns and destructive cyber-attacks. As part of those campaigns, adversaries leveraged info-stealing malware samples, like IcedID Trojan and AgentTesla spyware. The latter belongs to one of the widely-used spyware Trojans designed to steal sensitive data from compromised users. AgentTesla malware emerged in earlier cyber-attacks against Ukraine attributed to the malicious activity of the UAC-0041 hacking group.
As a result, the PowerShell code executes DLL and EXE files, the latter being AgentTesla spyware, which infects the compromised systems. According to the CERT-UA research, similar phishing emails were delivered on August 11, but they used other lures for email subjects and attachments.
To proactively defend against the emerging adversary activity of diverse hacking collectives spreading info-stealing malware, cybersecurity researchers are looking for ways to boost threat detection capabilities and accelerate threat hunting velocity. The SOC Prime Team curates a set of unique Sigma rules to detect the malicious activity of the UAC-0120 group, which is behind ongoing cyber-attacks distributing AgentTesla spyware. Since these phishing campaigns target multiple organizations from Ukraine, Austria, and Germany, cyber defenders should stay on alert to timely identify the infection in their organization’s infrastructure and mitigate the potential threat.
Cybersecurity practitioners can browse SOC Prime for the related threats based on the group identifier “UAC-0120” and instantly gain access to relevant Sigma rules enriched with insightful contextual metadata, like MITRE ATT&CK® and CTI references:
All Sigma rules are available in SOC Prime’s Detection as Code platform and can be applied across supported industry-leading SIEM, EDR, and XDR technologies.
Instantly access context-enriched Sigma rules for AgentTesla malware detection directly from SOC Prime’s Cyber Threats Search Engine. Click the Explore Detections button and drill down to the relevant detection content accompanied by comprehensive contextual information for in-depth threat investigation. Need more than just detection rules? Gain from Detection as Code available on demand offering utmost flexibility with a pre-paid balance.
All dedicated Sigma rules are aligned with the MITRE ATT&CK® framework addressing the following adversary tactics and techniques enabling cybersecurity professionals to instantly gain insights into the MITRE ATT&CK context behind the ongoing email campaigns of the UAC-0120 group:
Signed Binary Proxy Execution (T1218)
Subvert Trust Controls (T1553)
Command and Scripting Interpreter (T1059)
Stay ahead of emerging threats with on-demand access to the latest and most relevant Detection-as-Code content available in SOC Prime’s platform. Choose the On-Demand subscription plan and save up to 2,200 hours on threat research and detection content development while maximizing the value of your SOC team resources.