CERT-UA discovered a cyberespionage operation aimed at an undisclosed government agency within the country. The campaign, attributed to a threat actor known as UAC-0063, has displayed indications of potential interest in targeting additional nations such as Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.
Although researchers initially detected UAC-0063's activities in 2021, the origins of this group remain obscure. The primary objective of the attacks, as determined by CERT-UA, is to gather intelligence.
Diving into details
In its most recent campaign, the group leveraged a compromised email account originating from the Embassy of Tajikistan in Ukraine to distribute a malicious email targeting the Ukrainian government agency.
Disguised as an invitation to an embassy meeting, the email's true intention was to infect the recipient's system with harmful programs.
The cybersecurity team at CERT-UA has categorized these programs as follows:
LOGPIE: A keylogger designed to record and store every keystroke made by the user, such as passwords, usernames, and messages.
CHERRYSPY: A backdoor mechanism enabling the execution of Python code received from a central management server, providing unauthorized remote access to the compromised system.
STILLARCH: Malware employed to search for and exfiltrate files from the compromised environment.
To complicate investigation efforts and hinder attribution, the hackers employed the PyArmor and Themida software tools. These tools serve to protect programs from reverse engineering, unauthorized access, and code theft, thereby adding an extra layer of complexity to the analysis of their attacks.
Other attacks against Ukraine
The Russian hacker group APT28 was found targeting Ukrainian government agencies through a phishing campaign, using phony Windows Update messages.
In March, the Black Magic APT gang was spotted targeting Ukrainian government, agriculture, and transportation organizations. The attacks leveraged a previously-unseen malware, named CommonMagic.
The bottom line
To mitigate the potential impact of attacks carried out by UAC-0063, CERT-UA recommends implementing certain measures. Organizations are advised to impose restrictions on the execution of specific Windows utilities, namely "mshta.exe," as well as the Windows Script Host applications "wscript.exe" and "cscript.exe." Furthermore, limiting access to the Python interpreter is also recommended.
It is worth noting that cybersecurity researchers are actively monitoring multiple cyberespionage campaigns targeting Ukraine, as previously mentioned. Their ongoing efforts aim to analyze and respond to the evolving tactics employed by these threat actors.