"Breach Report" from UAC-0099 (CERT-UA#12463)

Dec. 18, 2024, 8:08 p.m.

Description

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted files and .NET programs for decryption and in-memory execution. The group's espionage activities continue to evolve, with changing targets and infrastructure. The attackers use Cloudflare for hiding and ensuring fault tolerance. The report emphasizes the importance of implementing proper cyber defense measures to protect state information resources.

External References

https://otx.alienvault.com/pulse/67632706a78b585404652d93
Tags
powershell
CVE-2023-38831
cloudflare
winrar
lnk files
2024-12-18
lonepage program

Date

  • Created: Dec. 18, 2024, 7:48 p.m.
  • Published: Dec. 18, 2024, 7:48 p.m.
  • Modified: Dec. 18, 2024, 8:08 p.m.

Indicators

  • fa331a275d2f966f42a6168f1cb6fdb919d272b32175985c8bf383f2d800ced2
  • fbc4fbb3c2926300ee820ff7044f35231c2a1aeeb74d1f49a6caaec7736739c6
  • eb08f96acba2b316408f66ef0c4f45a42eb207e43c605476405324726e97f9e3
  • d4eafc11cd0e4fe417c59db804ca6e8bd8bf9c0d0886627f15165937fcb68395
  • 8cc89a917ed89a8407aa1e5caa4af585f26946124cf1764e3b178261a27177af
  • 88b64a3eb0dc38e3f8288b977b1cd67af7d4ba959297ac48ef5f06bec3e77560
  • 7a0ae128961a6239a2e10059305bb83fa64251bb3f0b44162ec6efdde10fd1e8
  • 6161be2016a1fd8096b6b43544eb5df97cd3fa73a820b5e0a44618389897d733
  • 5441cb26f32a433b0abd80dfa98a3a30c78df00ca9d2a0cfc5b20c55f3aaadce
  • 53f4e38d56946a385a681c66d891d3d70c2b2fee1691ff7e7af317955e0d8b88
  • 4a42bfc95772e2f6ae58ccb37fe74b5e810f6c2973ec7a70e09884e1fe97e794
  • 322de3a4e1d356a7db22d6447807bd7576f91ed1910a57d9e8eb6f678ceb6ab4
  • 25e725e4be880354c42c008e0960ee67481229b299ff61c29c48a23939d9a041
  • 16f809cd9fb1a06f07bb947ea8b6a27f66cfca0947e29666c34ae7b35b6e471b
  • 0b16ee402ad04a673d61af43f461d475d1e3fcbdaf8714a1183ac35056bbae25
  • 0af76e87614126042a2c3409d273d606a4562f99cb9f003a9f9ec0596213a35a
  • 0aaee2882e4a71b25de5722d8936c67d40355e2f79caf994c8e10164468d3272
  • 025b9bdd156b59b18ab08921572501b6386ae45e8c0c0440855a719ae4b4c24a
  • 45.61.157.118
  • 172.86.117.53
  • 160.119.251.83
  • gosp16.spd.ics.gov.ua
  • webappapiservice.life
  • newyorktlimes.life
  • captcha-challenge.com
Download all indicators here!

Attack Patterns

  • LONEPAGE
  • UAC-0099
  • T1059.003
  • T1059.001
  • T1059.007
  • T1573
  • T1102
  • T1204
  • T1140
  • T1132
  • T1027
  • T1566