A group of hackers known as UAC-0099 has been using a vulnerability in WinRAR, a popular file archiver tool for Windows, to infect Ukrainian firms with LONEPAGE malware and steal sensitive information. The cyber-espionage campaign has been ongoing since 2022 and has targeted government bodies and media organizations in Ukraine and Central Asia.
The vulnerability, identified as CVE-2023-38831, is a logical flaw that causes WinRAR to extract temporary files to a random directory when processing crafted archives. The flaw can be exploited by attackers to execute arbitrary code when a user attempts to view a file within a ZIP archive. The vulnerability was patched by RARLabs in August 2023, but many users still seem to be vulnerable.
The flaw was first exploited by cybercrime groups in early 2023, when it was still unknown to defenders. A patch is now available, but malicious actors will continue to rely on n-days and use slow patching rates to their advantage. Google’s Threat Analysis Group (TAG) has observed multiple government-backed hacking groups exploiting the WinRAR vulnerability as part of their operations. To ensure protection, TAG urges organizations and users to keep software fully up-to-date and to install security updates as soon as they become available.
UAC-0099 Hackers Deliver LONEPAGE Malware via WinRAR Exploit
UAC-0099 is a hacking group that has been conducting targeted cyber-espionage operations against Ukraine since the second half of 2022. According to CERT-UA, the Ukrainian cyber defense agency, UAC-0099 hackers have gained unauthorized remote access to dozens of computers related to the Ukrainian organizations attempting to gather intelligence from the compromised systems.
The hackers have been distributing malicious files via email and messengers, which, once launched, can infect the targeted systems with LONEPAGE malware. LONEPAGE is a PowerShell-based malware that uses JavaScript or VBScript code to download and execute malicious PowerShell commands. The malware can also submit the stolen data to the server via an HTTP POST request.
In addition, the hackers can download other malicious strains on the affected environment, such as THUMBCHOP information stealer for Chrome and Opera browsers, a CLOGFLAG keylogger, along with TOR and SSH software to create a covert service for remote access to the compromised computer. CERT-UA researchers also uncovered other GO-based malware samples, such as SEAGLOW and OVERJAM, used by the hackers.
UAC-0099 Hackers Move Laterally and Compromise Privileged Accounts
The UAC-0099 hackers are not only interested in stealing data from the infected systems, but also in moving laterally within the network and compromising privileged accounts. The hackers have been observed scanning the local computing network, gaining access to the corporate information systems, and exploiting the Windows Credential Editor (WCE) tool to dump passwords from memory.
The hackers have also used the Mimikatz tool to perform pass-the-hash and pass-the-ticket attacks, which allow them to impersonate other users and access their resources. The hackers have also attempted to disable antivirus software and firewall settings on the compromised systems, as well as to delete event logs and other traces of their activity.
How to Detect and Mitigate the UAC-0099 Cyber-Espionage Campaign
CERT-UA has issued an alert covering the UAC-0099 cyber-espionage campaign and provided recommendations for organizations and users to detect and mitigate the threat. Some of the suggested measures are:
- Restrict the ability to run certain legitimate components on the users’ workstations, including wscript.exe, cscript.exe, powershell.exe, mshta.exe, which can be exploited by adversaries.
- Monitor network traffic for suspicious connections and requests, especially to the domains and IP addresses associated with the UAC-0099 hackers.
- Scan the systems for the presence of LONEPAGE and other malware samples used by the hackers, and remove them if found.
- Change the passwords of the compromised accounts and revoke any unauthorized access tokens.
- Apply the latest security patches and updates for WinRAR and other software.
The UAC-0099 cyber-espionage campaign is a serious threat to the security and privacy of Ukrainian firms and organizations, as well as to the national interests of Ukraine. The hackers have been exploiting a known vulnerability in WinRAR to deliver LONEPAGE malware and other malicious tools to spy on their targets and steal their data. Organizations and users should take the necessary steps to protect themselves from this threat and keep their systems and software up-to-date.
