The threat actor UAC-0099 is exploiting a high-risk vulnerability in WinRAR software to deploy the LONEPAGE malware against Ukrainian organizations. Deep Instinct, a cybersecurity firm, noted in a recent analysis that this group is specifically targeting Ukrainian employees working for businesses based outside of Ukraine. UAC-0099's activities were first reported by Ukraine's Computer Emergency Response Team (CERT-UA) in June 2023, highlighting its espionage attacks on state institutions and media organizations.
The group's attack chain involves phishing emails with HTA, RAR, and LNK file attachments, leading to the installation of LONEPAGE, a Visual Basic Script (VBS) malware. This malware can communicate with a command-and-control (C2) server to download additional payloads, including keyloggers, stealers, and screenshot malware. CERT-UA reported in 2023 that this group had gained unauthorized remote access to several dozen computers in Ukraine over 2022-2023.
Deep Instinct's latest analysis revealed three different infection methods used by UAC-0099, including HTA attachments, self-extracting (SFX) archives, and booby-trapped ZIP files. The latter two exploit the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to spread the LONEPAGE malware. In one method, the SFX file contains an LNK shortcut disguised as a DOCX file for a court summons, using the Microsoft WordPad icon to trick the victim into opening it. This leads to the execution of malicious PowerShell code that installs the LONEPAGE malware.
The other attack method involves a specially designed ZIP archive susceptible to CVE-2023-38831. Deep Instinct discovered two such artifacts created by UAC-0099 on August 5, 2023, three days after WinRAR maintainers released a patch for the bug. Deep Instinct stated, "The tactics used by 'UAC-0099' are simple, yet effective. Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file."
In related news, CERT-UA has warned of a new wave of phishing emails pretending to be unpaid Kyivstar bills to spread a remote access trojan known as Remcos RAT. This campaign has been attributed to another threat actor, UAC-0050.