19 December 2024

UAC-0125 malware campaign targeting Ukrainian military personnel


UAC-0125 malware campaign targeting Ukrainian military personnel

The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted a malicious campaign targeting Ukrainian military personnel, which is exploiting Cloudflare Workers to distribute malware disguised as a legitimate mobile application Army+. The app was originally introduced by Ukraine’s Ministry of Defense in August 2024 to facilitate paperless processes within the armed forces.

Victims are lured to fraudulent websites hosted via Cloudflare Workers, where they are prompted to download a Windows executable version of Army+ labeled "ArmyPlusInstaller-v.0.10.23722.exe." The installer is crafted using the Nullsoft Scriptable Install System (NSIS), a common open-source tool for creating Windows installers.

When executed, the installer launches a decoy file to mask its malicious behavior and executes a PowerShell script designed to install an OpenSSH server on the victim’s machine, generate an RSA key pair for secure communication, add the attacker’s public key to the "authorized_keys" file to enable remote authentication, exfiltrate the private key using curl to a remote server hosted on the Tor network, publish a hidden SSH service on the victim's device via Tor.

CERT-UA has linked this activity to UAC-0125 with a high level of confidence, further associating it with the larger cluster UAC-0002 (commonly referred to as APT44 or Sandworm). Sandworm is a notorious cyber-espionage group linked to Russian intelligence services.

This is not the first time the group has targeted Ukrainian entities. Earlier in 2024, UAC-0125 leveraged trojanized Microsoft Office packages, including "Office16.iso" files, as a primary compromise vector. These files contained malicious components, such as "omas-x-none.msp" and "CommunicatorContentBinApp.cmd," which executed PowerShell commands to initiate further infections.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025