| Category | Details |
|---|---|
| Threat Actors | - UAC-0125, linked to russia-backed UAC-0002 (aka APT44, Sandworm, UAC-0133) |
| Campaign Overview | - Targets Ukrainian organizations, including military and critical infrastructure - Fake websites mimic the “Army+” app, hosted via Cloudflare Workers |
| Target Regions (Victims) | - Ukraine (state bodies, military, critical infrastructure) |
| Methodology | - Phishing campaigns using fake Army+ websites - Malware-laden installer “ArmyPlusInstaller-v.0.10.23722.exe” uses PowerShell scripts, Tor, and SSH to gain remote access |
| Product Targeted | - Army+ app (used by Ukrainian military personnel) |
| Malware Reference | - Data-wiping malware, BlackEnergy (2015-2016), Industroyer 2 (2022) |
| Tools Used | - NSIS installer, Tor, PowerShell, OpenSSH |
| Vulnerabilities Exploited | - Abuse of Cloudflare Workers for hosting malicious sites - Exploits involving trojanized Microsoft Office components |
| TTPs | - Initial Access: Phishing with fake websites (T1566) - Execution: PowerShell scripts (T1059.001) - Command and Control: Multi-hop proxy via Tor (T1090.003) - Exfiltration: Use of cURL for private key exfiltration (T1041) |
| Attribution | - High confidence linking UAC-0125 to Sandworm/APT44, a russia-backed APT group |
| Recommendations | - Monitor for suspicious PowerShell and Tor activities - Implement strict controls on downloading and executing installers - Educate users on phishing and fake website risks - Leverage SOC Prime’s detection tools |
| Source | SOC Prime |
Read full article: https://socprime.com/blog/uac-0125-attacks-against-ukraine-detection/
The above summary has been generated by an AI language model
Leave a Reply