UAC-0149 Attack Detection: Hackers Launch a Targeted Attack Against the Armed Forces of Ukraine, as CERT-UA Reports
Table of contents:
Two days before the 2nd anniversary of russia’s full-scale invasion, CERT-UA researchers uncovered an ongoing phishing attack against the Armed Forces of Ukraine. The adversary campaign linked to the UAC-0149 group has leveraged COOKBOX malware to infect targeted systems.
UAC-0149 Attack Analysis Using COOKBOX Malware
CERT-UA in coordination with the Cybersecurity Center of the Information and Telecommunication Systems of the Military Unit А0334 unveiled a targeted attack against the Armed Forces of Ukraine covered in the corresponding CERT-UA#9204 alert. The UAC-0149 group has been performing the malicious operation since at least fall 2023.
On February 22, 2024, several military employees received a lure XLS file titled “1_ф_5.39-2024.xlsm” related to the report challenges via the Signal messenger. In addition to a legitimate macro, the file contained VBA code designed to execute a PowerShell command responsible for downloading, decoding, and executing the PowerShell script “mob2002.data.”
The PowerShell script downloaded from GitHub performs registry modification on the operating system (OS), including writing the primary payload in the base64-encoded format, writing the decoder-launcher in the base64-encoded format to the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\XboxCache” branch, and creating a registry key “xbox” in the “Run” autostart branch, which is intended to execute the decoder, facilitating the execution of the main payload. The latter upon decoding contains another PowerShell script that performs GZIP decompression and executes the malicious COOKBOX program.
COOKBOX malware is a PowerShell script for loading and running PowerShell commands. For each infected device a unique identifier is computed using cryptographic transformations (SHA256/MD5 hash functions) based on a combination of the computer name and disk serial number. This identifier is transmitted in the “X-Cookie” header of HTTP requests during interactions with the C2 server.
COOKBOX malware persistence is achieved via a corresponding registry key in the “Run” branch of the OS registry. This key is created during the initial infection stage by a third-party PowerShell script, including the COOKBOX deployer. Commonly, the code leverages obfuscation like character encoding, character substitution (replace()), base64 encoding, and GZIP compression. UAC-0149 hackers apply dynamic DNS services and Cloudflare Workers for the C2 infrastructure management.
Defenders observed that adversaries managed to infect the targeted systems using COOKBOX malware in cases when the infrastructure was not properly protected. The devices without blocking the attempts of running cmd.exe, powershell.exe, mshta.exe, w(c)script.exe, hh.exe, and other executive utilities were mostly vulnerable to attacks. If the utilities were launched from within a process parented by one of the Microsoft Office programs (e.g., EXCEL.EXE), the chances of attacks increased. Notably, in one case, adversary attempts failed due to properly set EDR protection, which fuels the need for following best cybersecurity practices and strengthening cyber defense to effectively withstand such attacks.
With the exponential rise in cyber attacks targeting Ukraine and its allies mainly in the public sector, forward-looking organizations are striving to elevate cyber vigilance backed by a proactive cyber defense strategy and innovation capabilities. Leveraging Attack Detective, organizations can seamlessly identify blind spots in detection coverage, gain from automated threat hunting capabilities, and minimize the risks of organization-specific threats to reinforce their cybersecurity posture.
Detect the UAC-0149 Attack Covered in the CERT-UA#9204 Alert
Security experts estimate that around 40 russia-backed APT groups attacked Ukraine in H1 2023, with intrusions constantly growing in number and sophistication. This time, the Armed Forces of Ukraine became a target of another malicious campaign by UAC-0149, relying on COOKBOX malware.
To help security professionals spot suspicious activity linked to UAC-0149 and COOKBOX, SOC Prime Platform for collective cyber defense aggregates a set of behavior-based detection algorithms accompanied by detailed metadata. All the rules are mapped to MITRE ATT&CK® v14.1 and compatible with 28 SIEM, EDR, XDR and Data Lake solutions. Just hit the Explore Detections button below and drill down to the curated rule set.
Alternatively, cyber defenders can search for related detections using “UAC-0149” and “CERT-UA#9204” tags based on the group identifier and CERT-UA alert.
Security engineers might also streamline the IOC packaging using the Uncoder AI tool. Just paste the IOCs provided by CERT-UA and automatically convert them into performance-optimized queries ready to run in the chosen environment for smooth threat investigation.
MITRE ATT&CK Context
Security engineers can also check out the details of the UAC-0149 attack using COOKBOX malware provided in the most recent CERT-UA alert. Explore the table below to access a comprehensive list of adversary TTPs linked to the relevant Sigma rules, facilitating a thorough analysis:
Tactics | Techniques | Sigma Rule |
Initial Access | Phishing: Spearphishing Attachment (T1566.001) | |
Execution | User Execution: Malicious File (T1204.002) | |
Command and Scripting Interpreter: PowerShell (T1059.001) | ||
Persistence | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | |
Defense Evasion | Hide Artifacts: Hidden Window (T1564.003) | |
Obfuscated Files or Information (T1027) | ||
Discovery | System Information Discovery (T1082) | |
Command and Control | Proxy: Domain Fronting (T1090.004) | |
Ingress Tool Transfer (T1105) |