Press ESC to close

UAC-0125 Attack Detection: Hackers Use Fake Websites on Cloudflare Workers to Exploit the “Army+” Application

Category Details
Threat Actors – UAC-0125, linked to russia-backed UAC-0002 (aka APT44, Sandworm, UAC-0133)
Campaign Overview – Targets Ukrainian organizations, including military and critical infrastructure
– Fake websites mimic the “Army+” app, hosted via Cloudflare Workers
Target Regions (Victims) – Ukraine (state bodies, military, critical infrastructure)
Methodology – Phishing campaigns using fake Army+ websites
– Malware-laden installer “ArmyPlusInstaller-v.0.10.23722.exe” uses PowerShell scripts, Tor, and SSH to gain remote access
Product Targeted – Army+ app (used by Ukrainian military personnel)
Malware Reference – Data-wiping malware, BlackEnergy (2015-2016), Industroyer 2 (2022)
Tools Used – NSIS installer, Tor, PowerShell, OpenSSH
Vulnerabilities Exploited – Abuse of Cloudflare Workers for hosting malicious sites
– Exploits involving trojanized Microsoft Office components
TTPs Initial Access: Phishing with fake websites (T1566)
Execution: PowerShell scripts (T1059.001)
Command and Control: Multi-hop proxy via Tor (T1090.003)
Exfiltration: Use of cURL for private key exfiltration (T1041)
Attribution – High confidence linking UAC-0125 to Sandworm/APT44, a russia-backed APT group
Recommendations – Monitor for suspicious PowerShell and Tor activities
– Implement strict controls on downloading and executing installers
– Educate users on phishing and fake website risks
– Leverage SOC Prime’s detection tools
Source SOC Prime

Read full article: https://socprime.com/blog/uac-0125-attacks-against-ukraine-detection/

The above summary has been generated by an AI language model

Source: SOC Prime

Published on: December 18, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *