CredPump, HoaxPen, and HoaxApe Backdoor Detection: UAC-0056 Hackers Launch Disruptive Attacks Against Ukrainian Government Websites Planned Over One Year Earlier

Approaching the date of one-year anniversary of the outbreak of full-fledged war in Ukraine, cyber defenders addressed the risks of potential attacks against Ukraine and its allies by russian offensive forces. On February 23, CERT-UA cybersecurity researchers revealed the malicious activity attributed to the UAC-0056 hacking group, which was observed in malicious campaigns against Ukraine leveraging the phishing attack vector in July 2022. In the uncovered adversary campaign, threat actors aimed to disrupt the integrity and availability of government websites by leveraging multiple backdoors, which had been planted back over a year before. 

Analysis of Disruptive Cyber Attacks Against Ukraine by the russia-linked UAC-0056 Group 

On February 23, 2023, CISA issued an alert urging U.S. and European organizations to boost their cyber vigilance in response to the potential cyber attacks by russian aggressors. Cyber defenders warned organizations and individual users about the high risks of disruptive attacks against multiple websites marking one-year anniversary of russia’s full-scale invasion of Ukraine. The alert was issued shortly after CERT-UA researchers detected the malicious disruptive activity against the Ukrainian government websites and covered it in the corresponding CERT-UA#6060 alert. 

CERT-UA cybersecurity researchers have uncovered an incident targeting Ukrainian government bodies and aimed to cripple the integrity and availability of state-owned informational websites. Based on the observed behavior patterns, the adversary activity can be attributed to the UAC-0056 hacking collective (DEV-0586, unc2589) or Ember Bear. 

The hacking collective was behind a series of phishing attacks on Ukrainian state bodies in mid-summer 2022, spreading Cobalt Strike Beacon malware. Ember Bear is a suspected russian nation-backed cyber espionage group, which has been observed in the cyber threat arena since March 2021, mainly targeting Ukraine and Georgia along with organizations in Europe and U.S. in multiple industry sectors, including finance and pharma. The russia-linked UAC-0056 group might also be behind the WhisperGate data-wiping attack at the turn of 2022. 

On February 23, 2023, researchers revealed one of the encrypted web shells at one of the compromised web resources, which was observed to have been leveraged by attackers the night before. As a result of malicious activity, a novel “index.php” file was created in the root web catalog. The latter file enabled modification of the home page content of the compromised web resource. Threat actors communicated with the web shell using IP addresses, including those that belonged to the neighboring devices of other hacked organizations due to their earlier account abuse and further VPN-enabled connection to the corresponding organizations.

In this ongoing campaign, adversaries have leveraged an infamous SSH-backdoor CredPump (used as a RAM module), which allows attackers to gain remote SSH access and enable credential logging via SSH-based connection. Other discovered malware strains known as HoaxPen and HoaxApe backdoors were deployed back in February 2022 for code execution, a year ago before launching a malicious campaign.

At the earlier stages of the attack lifecycle, threat actors applied other malware samples, including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor. Notably, threat actors had planned unauthorized remote access to the targeted systems in advance before launching a malicious campaign.

Detecting the Malicious Activity of the UAC-0056 Group Covered in the CERT-UA#6060 Alert

With CERT-UA and CISA issuing alerts warning of ongoing and potential russia-affiliated disruptive actions against Ukraine and its allies, organizations and individual users should take immediate measures to proactively defend against the related malicious activity and enhance their cyber vigilance. SOC Prime’s Detection as Code Platform curates a set of Sigma rules to detect the adversary activity of the notorious UAC-0056 group, which is behind the latest campaign covered in the CERT-UA#6060 alert. The detections are aligned with the MITRE ATT&CK® framework v12 and are instantly convertible to 27+ SIEM, EDR, and XDR solutions ready to deploy to the organization-specific environment. For streamlined content search, all Sigma rules are filtered by the corresponding custom tag “CERT-UA#6060” based on the CERT-UA alert identifier.

Click the Explore Detection button to reach the entire list of relevant detection algorithms enriched with in-depth cyber threat context, like ATT&CK references and CTI links, mitigations, and executable binaries linked to Sigma rules.

Explore Detections

MITRE ATT&CK Context

To explore the context behind the latest UAC-0056 malicious campaign reported in CERT-UA#6060 alert, all dedicated Sigma rules are automatically tagged with ATT&CK addressing the corresponding tactics and techniques:

Since February 24, 2022, russia has launched over 2,100 cyber attacks against Ukraine and its allies, some of which had been planned earlier, like in the case of the latest activity of UAC-0056 hackers. To help teams always stay ahead of current and emerging russia-affiliated threats, take advantage of the charity-based #Sigma2SaveLives subscription offering direct access to 500+ Sigma rules against russian nation-backed APT groups along with 50 detections of your choice. Get the subscription with 100% of the revenue donated to aid Ukraine’s defense at https://my.socprime.com/pricing/.