UAC-0099 Using WinRAR exploit to target Ukrainian companies with LONEPAGE malware

WinRAR Vulnerability

The threat actor known as UAC-0099 has been linked to ongoing attacks targeting Ukraine, some of which take advantage of a very serious flaw in the WinRAR software to deliver a malware strain called LONEPAGE.

“The threat actor targets Ukrainian employees working for companies outside Ukraine,” says cybersecurity firm Deep Instinct said in an analysis released Thursday.

UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing attacks against state organizations and media entities due to espionage motives.

The attack chains used phishing messages with HTA, RAR and LNK file attachments leading to the deployment of ONEPAGEa Visual Basic Script (VBS) malware that can contact a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware.

“During the period 2022-2023, the mentioned group gained unauthorized remote access to several dozen computers in Ukraine,” CERT-UA said at the time.

Deep Instinct’s latest analysis shows that using HTA attachments is just one of three different infections, with the other two using self-extracting (SFX) archives and bobby-trapped ZIP files, which exploit the WinRAR vulnerability (CVE-2023 -38831, CVSS score: 7.8) to distribute LONEPAGE.

WinRAR vulnerability

In the first case, the SFX file contains an LNK shortcut disguised as a subpoena DOCX file, while the icon for Microsoft WordPad is used to trick the victim into opening it, resulting in the execution of malicious PowerShell code that removes the LONEPAGE malware.

The other attack suite uses a specially crafted ZIP archive susceptible to CVE-2023-38831, with Deep Instinct finding two such artifacts created by UAC-0099 on August 5, 2023, three days after WinRAR maintainers released a patch for the bug.

“The tactics used by ‘UAC-0099’ are simple yet effective,” the company said. “Despite the different initial infection vectors, the core infection is the same: they rely on PowerShell and the creation of a scheduled task that runs a VBS file.”

The development comes as CERT-UA warned of a new wave of phishing messages purporting to solicit charges from Kyivstar to spread a remote access trojan known as Remcos RAT. The agency attributed the campaign to UAC-0050.

#UAC0099 #WinRAR #exploit #target #Ukrainian #companies #LONEPAGE #malware

Notify of
Inline Feedbacks
View all comments
Previous Post

Microsoft warns of new ‘FalseFont’ backdoor aimed at defense sector

Next Post
Nim-Based Malware

Decoy Microsoft Word documents used to deliver Nim-based malware

Related Posts