MAGICSPELL Malware Detection: UAC-0168 Hackers Launch a Targeted Attack Using the Subject of Ukraine’s NATO Membership as a Phishing Lure 

CERT-UA researchers recently uncovered a fraudulent copy of the English-language version of the Ukrainian World Congress website at https://www.ukrainianworldcongress.org/. The fake web resource contains a couple of DOCX documents that trigger an infection chain once opened. As a result of the attack chain, hackers can deploy MAGICSPELL payload intended to download, decipher, and maintain the persistence and launch of another loader to spread the infection further. The identified malicious activity is tracked as UAC-0168.

UAC-0168 Targeted Attack Analysis Covered in the CERT-UA#6940 Alert

On July 5, 2023, CERT-UA researchers issued the latest CERT-UA#6940 alert covering the targeted adversary activity attributed to the UAC-0168 hacking group. In this malicious campaign, threat actors leverage the fraudulent copy of a legitimate version of the Ukrainian World Congress website to lure victims into opening the malicious DOCX files and sparking the infection. The fake web resource includes two DOCX documents with titles related to the upcoming NATO Summit and Ukraine’s NATO membership, both of which contain an RTF document with malicious URL addresses and a UNC path. 

Threat actors establish communication via HTTP and SMB protocols. Opening the above-mentioned DOCX files and the successful exploitation of the relevant vulnerabilities leads to the download and launch of a set of malicious files, including a .chm file with an HTM and web archive files along with a URL and VBS files that spread the infection further. The latter enables hackers to launch other files located on the SMB resource in a variety of formats, including EXE and DLL. 

Throughout the investigation, cybersecurity researchers revealed a “calc.exe” file identified as a MAGICSPELL loader, which is capable of deploying other malicious executable files on the compromised systems and maintaining their persistence. 

The analysis of the SMB resource leveraged by attackers has revealed 195 IP addresses distributed across 30 countries, most of which belong to VPN servers and research organizations. 

According to CERT-UA, using the name of the Ukrainian World Congress along with the topic of Ukraine’s membership in NATO as phishing lures links the latest attack by UAC-0168 to the upcoming NATO summit to take place on July 11-12 in Vilnius, Lithuania. 

Detecting the Latest UAC-0168 Attacks Against Ukraine

To streamline threat investigation and assist security professionals in detecting the most recent offensive operations related to the UAC-0168 targeted attack, SOC Prime Platform offers a set of curated Sigma rules. Users can search for the relevant detection algorithms by filtering rules with the corresponding custom tags “CERT-UA#6940” and “UAC-0168” based on the CERT-UA alert and group identifiers. 

Press the Explore Detections button below to immediately drill down to the extensive list of dedicated Sigma rules aimed at UAC-0168 attack detection. All the rules are mapped to the MITRE ATT&CK® framework v12, provide actionable metadata and relevant cyber threat context, and are compatible with 28+ SIEM, EDR, and XDR solutions to match organization-specific security needs.

Explore Detections

Additionally, security teams can enhance their threat hunting velocity by searching for indicators of compromise linked to the UAC-0168 collective with the help of Uncoder AI. Just paste the file, host, or network IOCs listed by CERT-UA in the latest alert into the tool and select the content type of the target query to instantly create a performance-optimized IOC query matching your environment and current security needs. 

MITRE ATT&CK Context

To review a broader context behind the latest UAC-0168 attack covered in the CERT-UA#6940 alert, all related Sigma rules are tagged with ATT&CK v12 addressing the corresponding adversary tactics and techniques: