On April 28, 2022, CERT-UA published a heads-up notifying of the latest phishing cyber-attack on Ukrainian government entities using the Metasploit framework. The malicious activity can be attributed to the adversary behavior patterns of a group tracked as UAC-0098. Moreover, this most recent attack is believed to be traced to the activity of the TrickBot hacking collective, an infamous Russia-linked ransomware gang known as operators of sophisticated botnets who collaborate with advanced threat actors, like FIN6 and Ryuk, in targeted malicious campaigns designed for malware distribution.
Metasploit is an open-source framework to create a penetration testing environment to develop, test, and execute exploits. It is a broadly-adopted and powerful tool leveraged both by threat actors and white-hat hackers to probe vulnerabilities on networks and servers of interest. The Metasploit framework offers a variety of tools and features for penetration testing, including a well-known Meterpreter.
Meterpreter malware delivered in the latest cyber-attack on Ukrainian state bodies is a sophisticated payload that leverages encrypted communications, injects itself into the compromised process, and can smoothly migrate over networks, making the infection delivery easier and leaving insufficient forensic evidence.
On April 28, 2022, CERT-UA released an alert reporting about a phishing campaign leveraging a war-themed lure and delivering malicious ISO files. Particularly, threat actors disseminated a fraudulent Decree of the President of Ukraine files that contained a DOCX lure file, a shortcut LNK file, a PowerShell script, and an executable file. Once launched, the LNK file triggers the infection chain by executing a PowerShell script, which in turn, opens a DOCX file, and then runs an EXE file. As a result, the victim’s computer is infected by Meterpreter malware.
CERT-UA investigation attributes the campaign to the Russia-backed UAC-0098 and TrickBot groups according to the observed similarities of the malicious behavior patterns.
To protect the organization’s infrastructure against phishing cyber-attacks by UAC-0098 hackers, including the latest campaign leveraging Metasploit Meterpreter, the SOC Prime Team has provided a batch of dedicated Sigma rules:
Sigma rules to detect the malicious activity of UAC-0098 group
Register to the SOC Prime’s Detection as Code platform to access all content via a link above or conduct a custom search using the corresponding #UAC-0098 tag.
Security practitioners can also hunt for threats related to the malicious activity of UAC-0098 using the above-mentioned detection content via Quick Hunt module.
To dive into the context of the latest phishing attack of the UAC-0098 and TrickBot groups hitting Ukrainian state bodies with the Metasploit Meterpreter, all relevant Sigma rules are aligned with the MITRE ATT&CK framework addressing corresponding tactics and techniques:
Subvert Trust Controls (T1553)
Signed Binary Proxy Execution (T1218)
Command and Scripting Interpreter (T1059)