Ukraine's computer emergency response team (CERT-UA) has spotted a cyber-espionage operation targeting an unnamed state entity in Ukraine.
Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. CERT-UA, which has been tracking UAC-0063 since 2021, said that the group’s goal is cyber-espionage. The origins of this threat actor is currently unclear.
The observed campaign involved phishing emails purported to be from the Embassy of Tajikistan in Ukraine, likely sent from a previously compromised email account.
The malicious emails contained weaponized DOCX files documents designed to trigger the download of several malware tools, including:
-
Logpie - a keylogger that captures and logs every keystroke, including passwords, usernames, messages, and other sensitive information entered by the user
-
Cherryspy - a backdoor that executes Python code received from a management server
-
Stillarch - malware used to find and exfiltrate files, including data from the Logpie keylogger
To make forensic analysis more difficult the threat actor used PyArmor (a tool designed for obfuscating Python scripts) and Themida (a packer to protect applications against reverse engineering).
To minimize the attack surface organizations are advised to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter.