Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)

Dec. 20, 2024, 2:41 p.m.

Description

A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.

External References

https://cert.gov.ua/article/6281701
https://otx.alienvault.com/pulse/67657e76bce4e783b0adb974
Tags
sandworm
openssh
cloudflare workers
nsis
tor
2024-12-20
apt44
uac-0125
army+

Date

  • Created: Dec. 20, 2024, 2:25 p.m.
  • Published: Dec. 20, 2024, 2:25 p.m.
  • Modified: Dec. 20, 2024, 2:41 p.m.

Indicators

  • d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2
  • b663e08cc267cdb7a02d5131cb04b8b05cb6ad13ac1d571c6aafe69e06bf8f80
  • 8ba4c3ede1ed05a3ad7075fee503215648ec078a13523492e2e91a59fa40c8da
  • 86039bc8b1a6bb823f5cbf27d1a4a3b319b83d242f09ffcd96f38bbdbbaaa78f
  • 4dca04f1e16cbe88776a3187031cff64981155cb3b992031250c6fed40496318
  • wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad.onion
Download all indicators here!

Attack Patterns

  • UAC-0125

Additional Informations

  • Ukraine