Category | Details |
---|---|
Threat Actors | – UAC-0125, linked to russia-backed UAC-0002 (aka APT44, Sandworm, UAC-0133) |
Campaign Overview | – Targets Ukrainian organizations, including military and critical infrastructure – Fake websites mimic the “Army+” app, hosted via Cloudflare Workers |
Target Regions (Victims) | – Ukraine (state bodies, military, critical infrastructure) |
Methodology | – Phishing campaigns using fake Army+ websites – Malware-laden installer “ArmyPlusInstaller-v.0.10.23722.exe” uses PowerShell scripts, Tor, and SSH to gain remote access |
Product Targeted | – Army+ app (used by Ukrainian military personnel) |
Malware Reference | – Data-wiping malware, BlackEnergy (2015-2016), Industroyer 2 (2022) |
Tools Used | – NSIS installer, Tor, PowerShell, OpenSSH |
Vulnerabilities Exploited | – Abuse of Cloudflare Workers for hosting malicious sites – Exploits involving trojanized Microsoft Office components |
TTPs | – Initial Access: Phishing with fake websites (T1566) – Execution: PowerShell scripts (T1059.001) – Command and Control: Multi-hop proxy via Tor (T1090.003) – Exfiltration: Use of cURL for private key exfiltration (T1041) |
Attribution | – High confidence linking UAC-0125 to Sandworm/APT44, a russia-backed APT group |
Recommendations | – Monitor for suspicious PowerShell and Tor activities – Implement strict controls on downloading and executing installers – Educate users on phishing and fake website risks – Leverage SOC Prime’s detection tools |
Source | SOC Prime |
Read full article: https://socprime.com/blog/uac-0125-attacks-against-ukraine-detection/
The above summary has been generated by an AI language model
Leave a Reply