Ukraine's Government Computer Emergency Response Team (CERT-UA) is warning of a widespread phishing campaign involving emails with tax-related subjects, containing attachments disguised as official requests from the State Tax Service of Ukraine. This malicious campaign is financially motivated and is attributed to a threat group tracked as UAC-0050, targeting enterprise accountants who handle remote banking systems.
The phishing emails feature attached PDF documents linked to file-hosting services (such as qaz.im, qaz.is, and qaz.su). When users click these links, a file named “dps_tax_gov_ua_0739220983.rar” is downloaded onto their computer. The archive contains a password-protected file with a malicious self-extracting executable.
Once launched, this executable displays a decoy document to distract the user while silently installing an MSI package that deploys the Litemanager remote management tool. Litemanager provides unauthorized access to the infected computer, enabling attackers to control the device and potentially access sensitive financial information.
The main targets of this cyber-attack are accountants with access to corporate remote banking systems. CERT-UA has noted that, based on forensic analyses, attackers can often escalate to direct financial theft in under an hour from the initial compromise.