The Laptop Emergency Response Workforce of Ukraine (CERT-UA) on Tuesday warned of renewed exercise from an organized prison group it tracks as UAC-0173 that entails infecting computer systems with a distant entry trojan named DCRat (aka DarkCrystal RAT).
The Ukrainian cybersecurity authority stated it noticed the most recent assault wave beginning in mid-January 2025. The exercise is designed to focus on the Notary of Ukraine.
The an infection chain leverages phishing emails that declare to be despatched on behalf of the Ministry of Justice of Ukraine, urging recipients to obtain an executable, which, when launched, results in the deployment of the DCRat malware. The binary is hosted in Cloudflare’s R2 cloud storage service.
“Having thus offered main entry to the notary’s automated office, the attackers take measures to put in further instruments, particularly, RDPWRAPPER, which implements the performance of parallel RDP classes, which, together with the usage of the BORE utility, lets you set up RDP connections from the Web on to the pc,” CERT-UA said.
The assaults are additionally characterised by means of different instruments and malware households like FIDDLER for intercepting authentication knowledge entered within the net interface of state registers, NMAP for community scanning, and XWorm for stealing delicate knowledge, resembling credentials and clipboard content material.
Moreover, the compromised programs are used as a conduit to draft and ship malicious emails utilizing the SENDMAIL console utility with the intention to additional propagate the assaults.
The event comes days after CERT-UA attributed a sub-cluster inside the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to the exploitation of a now-patched safety flaw in Microsoft Home windows (CVE-2024-38213, CVSS rating: 6.5) within the second half of 2024 by way of booby-trapped paperwork.
The assault chains have been discovered to execute PowerShell instructions chargeable for displaying a decoy file, whereas concurrently launching further payloads within the background, together with SECONDBEST (aka EMPIREPAST), SPARK, and a Golang loader named CROOKBAG.
The exercise, attributed to UAC-0212, focused provider firms from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with a few of them recorded in opposition to greater than two dozen Ukrainian enterprises specializing in growth of automated course of management programs (ACST), electrical works, and freight transportation.
A few of these assaults have been documented by StrikeReady Labs and Microsoft, the latter of which is monitoring the risk group beneath the moniker BadPilot.
Source link