Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)
Dec. 20, 2024, 2:41 p.m.
Tags
External References
Description
A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.
Date
Published: Dec. 20, 2024, 2:25 p.m.
Created: Dec. 20, 2024, 2:25 p.m.
Modified: Dec. 20, 2024, 2:41 p.m.
Indicators
d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2
b663e08cc267cdb7a02d5131cb04b8b05cb6ad13ac1d571c6aafe69e06bf8f80
8ba4c3ede1ed05a3ad7075fee503215648ec078a13523492e2e91a59fa40c8da
86039bc8b1a6bb823f5cbf27d1a4a3b319b83d242f09ffcd96f38bbdbbaaa78f
4dca04f1e16cbe88776a3187031cff64981155cb3b992031250c6fed40496318
wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad.onion
Attack Patterns
UAC-0125
T1021.004
T1588.002
T1059.001
T1572
T1547.001
T1036.005
T1204.002
Additional Informations
Ukraine