The article was published on Dec 22, 2023, by the Newsroom and is tagged under Malware/Cyber Attack. The threat actor UAC-0099 has been linked to attacks targeting Ukraine using a high-severity flaw in the WinRAR software to distribute the LONEPAGE malware. The group targeted Ukrainian employees working outside Ukraine, utilizing phishing messages with HTA, RAR, and LNK file attachments to deploy LONEPAGE. The malware is capable of connecting to a command-and-control server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware.
Deep Instinct’s analysis reveals that the attacks also leverage self-extracting (SFX) archives and ZIP files to distribute LONEPAGE, exploiting the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8). The SFX file disguises an LNK shortcut as a DOCX file, triggering malicious PowerShell code to drop the LONEPAGE malware, while the ZIP archive is susceptible to CVE-2023-38831, with UAC-0099 creating two such artifacts three days after WinRAR released a patch for the bug.
The article further highlights the simple yet effective tactics employed by UAC-0099, using PowerShell and the creation of a scheduled task to execute a VBS file for core infection. Additionally, CERT-UA has warned of a new phishing campaign involving a remote access trojan, attributed to UAC-0050.
For those interested in similar content, they can follow the Twitter and LinkedIn pages for more exclusive posts.