UAC-0063 Cyber-Espionage Activity Detection: Hackers Target Organizations in Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Izrael, and India to Gather Intelligence
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
- UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military - 18.04.2024
- CVE-2024-3400 Detection: A Maximum Severity Command Injection PAN-OS Zero-Day Vulnerability in GlobalProtect Software - 17.04.2024
Table of contents:
Since the outbreak of the full-scale war in Ukraine, cyber defenders have identified the growing volumes of cyber-espionage campaigns aimed at collecting intelligence from the Ukrainian state bodies.
On May 22, 2023, CERT-UA researchers issued a new alert warning the global cyber defender community of an ongoing cyber-espionage campaign targeting the information and communication system of one of the Ukrainian state bodies. In these attacks, hackers spread a couple of spoofed emails masquerading the sender as the Embassy of the Republic of Tajikistan to Ukraine using the email attack vector. The adversary activity is attributed to the cyber-espionage hacking group tracked as UAC-0063, which is also known to target organizations in Central Asia, Israel, and India.Ā
UAC-0063 Cyber-Espionage Attack Analysis Covered in the CERT-UA#6549 Alert
The latest CERT-UA#6549 alert points to the ongoing cyber-espionage campaign targeting Ukrainian state bodies linked to the activity of UAC-0063 threat actors. According to researchers, this hacking collective has been in the spotlight in the malicious arena since 2021, mainly performing targeted cyber intelligence and subversive activities. In the latest campaign, adversaries leveraged an email attack vector to lure victims into opening an attachment with a malicious macro or following a direct link to the malicious document for intelligence gathering.Ā
The infection chain is triggered by downloading a document and activating a malicious macro, which leads to creating and opening a DOCX file. The latter also contains a macro that creates another macro intended for generating the malicious file “SoftwareProtectionPlatform” identified as a VBScript-encoded loader HATVIBE, along with a scheduled task for its launch.
Further investigation revealed that on April 25, 2023, the compromised systems were also infected by additional malicious software, including the LOGPIE keylogger and CHERRYSPY backdoor, with the latter intended for running Python code received from the remote server. Threat actors applied advanced code encryption and obfuscation mechanisms, including PyArmor and Themida, for anti-analysis protection. In addition, attackers leveraged the C++ file stealer STILLARCH for the file search and exfiltration, such as processing the results of the LOGPIE keylogger.
Based on the analysis of similar behavior patterns and related files, the UAC-0063 cyber-espionage group has also set its eyes on organizations in central Asia, including Kazakhstan, Kyrgyzstan, and Mongolia, as well as Izraeli, and Indian companies.
To reduce the attack surface, CERT-UA researchers recommend configuring restrictions on user accounts relevant to the use of “mshta.exe” and the launch of Windows Script Host and Python interpreter.
Detecting Malicious Activity Associated with UAC-0063 Cyber-Espionage Campaign
With increasing volumes of cyber-espionage campaigns targeting Ukraine and its allies, cyber defenders require the source of the relevant intelligence and detection content to proactively withstand russia-backed intrusions. To help organizations timely identify the potential malicious activity, SOC Prime curates a batch of Sigma rules addressing adversariesā tools, techniques, and procedures covered in CERT-UA investigations. All detections are compatible with 25+ SIEM, EDR, and XDR solutions and mapped to MITRE ATT&CK framework v12 to help SOC teams streamline the investigation and threat hunting procedures.
Hit the Explore Detections button below to explore the Sigma rules set aimed at detecting the latest campaign by UAC-0063. To simplify the content search, SOC Prime Platform supports filtering by the custom tag āCERT-UA#6549ā and a broader tag āUAC-0063ā based on the alert and group identifiers.
To streamline threat investigation, cyber defenders can also search for relevant indicators of compromise (IoCs) associated with the latest UAC-0063 campaign using Uncoder.IO. Just paste the file, host, or network IoCs provided by CERT-UA into the tool to instantly create performance-optimized IoC queries ready to run in the chosen environment.Ā
MITRE ATT&CK Context
To dive into the context behind the malicious campaign by UAC-0063, all above-referenced Sigma rules are tagged with ATT&CK v12 addressing the relevant tactics and techniques:
