Ukraine's Government Computer Emergency Response Team (CERT-UA) detected a series of cyberattacks carried out by the threat group UAC-0099 that took place in November and December 2024. The attacks targeted multiple government organizations, including forestry enterprises, forensic institutions, industrial plants, and other entities, likely for espionage.
The threat actors employed phishing emails to deliver malware. The emails contained double-archived attachments, often with LNK or HTA files as payloads. Notably, some of these archives exploited a known WinRAR vulnerability tracked as CVE-2023-38831.
Following initial compromise, the attackers deployed a malicious tool known as LONEPAGE, capable of executing remote commands on infected systems. CERT-UA observed notable changes in tactics, techniques, and procedures (TTPs).
Previously, LONEPAGE was delivered as a single VBS file stored within the compromised system's directories. However, in December, UAC-0099 adopted a more sophisticated method, involving encrypted files (3DES) and a .NET based tool that decrypted the encrypted content and executed PowerShell code in memory, reducing the risk of detection by traditional security tools.
The group has been observed using Cloudflare services to obfuscate obfuscate its infrastructure and hide malicious traffic.
CERT-UA’s security advisory provides Indicators of Compromise (IoCs) related to the observed activities.