UAC-0198 Attack Detection: Adversaries Massively Distribute Phishing Emails Spreading ANONVNC (MESHAGENT) Malware to Target Ukrainian State Bodies
Table of contents:
The increasing number of phishing attacks requires immediate attention from defenders, underscoring the need for increasing cybersecurity awareness and bolstering the organization’s cyber hygiene. Following the UAC-0102 attack targeting UKR.NET users, another hacking collective tracked as UAC-0198 leverages the phishing attack vector to target the Ukrainian state bodies and massively distribute ANONVNC (MESHAGENT) malware to gain unauthorized access to the compromised devices.
Detect UAC-0198 Phishing Attacks
During the third year of a full-scale war between Ukraine and russia, adversary forces have intensified their malicious activities, often leveraging phishing as a primary attack vector. The latest CERT-UA alert highlights a UAC-0198 attack, employing phishing tactics to target Ukrainian state bodies with ANONVNC (MESHAGENT) malware.
To assist security professionals in identifying the latest UAC-0198 attacks, SOC Prime Platform for collective cyber defense aggregates a set of dedicated Sigma rules, listed below:
This rule by the SOC Prime Teams helps to identify malicious files using short file names (i.e. 1.doc, 1.dll, 12.exe). The detection is compatible with 20 SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework, addressing the Defense Evasion tactic with Masquerading (T1036) being a primary technique.
Suspicious Binary / Scripts in Autostart Location (via file_event)
This rule helps detect the malicious activity associated with configuring system settings to automatically execute a program or scripts during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. The rule is compatible with 24 SIEM, EDR, and Data Lake technologies and mapped to MITRE ATT&CK addressing Boot or Logon Autostart Execution technique, with Registry Run Keys / Startup Folder (T1547.001) as a main subtechnique.
Possible Data Infiltration / Exfiltration over Non-Corp Service (via dns)
Adversaries may exfiltrate data by transferring it, including backups of cloud environments, to another cloud account they control. The reliance on the surrounding environment may necessitate the implementation of additional filtering measures to prevent false positives. This Sigma rule enables defenders to detect possible data infiltration or exfiltration over non-corporate services. The detection can be used across 20 cloud-native and on-premises SIEM, EDR, and Data Lake technologies to facilitate cross-platform threat detection. The rule is mapped to MITRE ATT&CK addressing the Command and Control tactic, with Ingress Tool Transfer (T1105) and Exfiltration Over Web Services (T1567) as the main techniques.
To review the dedicated content stack, security professionals might press the Explore Detections button below and immediately drill down to the rules list. Additionally, cyber defenders might access more tailored detection content by browsing Threat Detection Marketplace using custom “CERT-UA#10647” and “UAC-0198” tags.
Security teams can also rely on Uncoder AI to streamline IOC matching based on threat intel from the CERT-UA#10647 alert to seamlessly convert provided IOCs into performance-optimized queries that are ready to run in the selected hunting environment.
UAC-0198 Attack Analysis Spreading ANONVNC (MESHAGENT) Malware
On August 12, 2024, CERT-UA released a new CERT-UA#10647 alert notifying the global cyber defender community of an ongoing phishing attack targeting Ukrainian state bodies. The UAC-0198 hacking collective behind this campaign massively spreads spear-phishing emails impersonating the Security Service of Ukraine. CERT-UA has already identified over 100 compromised computers, including those operating within state and local government agencies in Ukraine.
The malicious emails contain a link to download a file named “Documents.zip.” Once clicked, the link downloads an MSI file, which in turn triggers the installation of the malicious ANONVNC (MESHAGENT) software. The latter enables unauthorized and hidden access to the targeted system, thus spreading the infection further.
ANONVNC features a configuration file identical to that of MESHAGENT malware. The fact that MESHAGENT’s source code is publicly available on GitHub suggests that the code used in this attack may have been adapted from it. Consequently, CERT-UA researchers temporarily refer to the discovered malware as ANONVNC, with “MESHAGENT” in parentheses to highlight its similarities to the corresponding malicious sample.
The recently identified phishing attacks have been causing a stir in the cyber threat arena since at least since July 2024 and may have a broader geographical scope. As of August 1, 2024, over a thousand EXE and MSI files have been found in the pCloud file service directories related to the ongoing campaign by UAC-0198.
The escalating risks of phishing attacks attributed to the UAC-0198 malicious activity, which may extend beyond Ukraine, highlight the urgent need to enhance cyber defense capabilities on a larger scale. SOC Prime operates the world’s largest and foremost platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI enabling security teams to proactively defend against emerging threats of any scale and sophistication while maximizing resource effectiveness.
