9 December 2024

UAC-0185 targets Ukrainian defense forces and defense industry sector


UAC-0185 targets Ukrainian defense forces and defense industry sector

Ukraine’s Computer Emergency Response Team (CERT-UA) has uncovered targeted phishing campaigns attributed to the threat actor group UAC-0185. The attacks primarily target the Ukrainian Defense Forces and enterprises within the defense-industrial complex (DIC), leveraging sophisticated methods to gain unauthorized access to sensitive systems and information.

The CERT-UA team, in collaboration with MIL.CERT-UA, reported a wave of phishing emails on December 4, 2024. The emails, sent under the guise of the Ukrainian Union of Industrialists and Entrepreneurs (UUIE), invited recipients to a conference on transitioning Ukraine's defense production to NATO technical standards. The conference was purportedly scheduled for December 5, 2024, in Kyiv in a hybrid format.

The emails included a malicious link, clicking on which triggered the download of a shortcut file. Opening the file executed a chain of malicious scripts designed to compromise the victim’s computer.

The attack exploited the Windows utility mshta.exe to execute a file named "start.hta", containing JavaScript code that launched two PowerShell commands, one of which opened a fake UUIE letter. The zipped file contained several executable files extracted to "%LOCALAPPDATA%\Microsoft\EdgeUpdate\Update", where the batch file "Main.bat" facilitated the execution of additional payloads. Ultimately, the "Registry.hta" file enabled persistence by placing itself in the startup folder and executed the remote access tool "update.exe", identified as MESHAGENT.

Further investigation revealed additional files and infrastructure used in related cyberattacks dating back to early 2023. CERT-UA has confirmed that UAC-0185 (also known as UNC4221) has been active since at least 2022. The group focuses on stealing credentials from communication apps such as Signal, Telegram, and WhatsApp, as well as compromising military systems like DELTA, TENETA, and Kropyva.

While their primary goal is credential theft, UAC-0185 has also engaged in limited attacks aimed at establishing unauthorized remote access to the systems of DIC enterprises and Defense Forces personnel. These operations leverage advanced tools such as MESHAGENT and ULTRAVNC.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025