Remote Utilities Exploitation: New Phishing Campaign by the UAC-0096 Group Targeting Ukrainian Organizations  | Tech Prism

Posted on

Remote Utilities Exploitation: New Phishing Campaign by the UAC-0096 Group Targeting Ukrainian Organizations  | Tech Prism Remote Utilities Abused by UAC 0096 Hackers

On the heels of the mass electronic mail distribution within the current malicious marketing campaign focusing on Ukrainian state companies and leveraging the Remcos (Distant Management and Surveillance) Trojan, risk actors exploit one other distant administration software program referred to as Distant Utilities to assault organizations ukrainian CERT-UA warns the worldwide cyber defender group about ongoing phishing assaults attributed to the UAC-0096 hacking group.

Evaluation of the most recent phishing assaults from UAC-0096 hackers leveraging distant utilities

On February 13, CERT-UA researchers issued a brand new alert CERT-UA#5961 detailing the mass distribution of emails posing because the Nationwide Safety and Protection Council of Ukraine. On this ongoing malicious marketing campaign, risk actors exploit the phishing assault vector to focus on Ukrainian organizations by way of Distant Utilities, the respectable distant administration software program.

Only a few days earlier than this phishing marketing campaign, CERT-UA researchers detected one other malicious exercise focusing on Ukrainian state our bodies and leveraging a unique distant administration software generally known as the Remcos RAT. Specifically, the above adversary exercise was attributed to the UAC-0050 hacking collective, which used to use Distant Utilities software program in its earlier campaigns.

In ongoing phishing assaults towards Ukraine, adversaries apply a lure electronic mail topic line associated to vital safety updates and a malicious RAR attachment with the main points of the faux updates. The RAR file, in flip, accommodates a picture lure with faux tips and a break up file that hides an executable file. By launching the latter, compromised customers will set up Distant Utilities software program on their computer systems for hackers to additional exploit their malicious exercise. The noticed adversary conduct patterns are attributed to the exercise of the hacking group UAC-0096.

Detection of malicious exercise UAC-0096 coated in alert CERT-UA#5961

Since Russia’s large-scale invasion of Ukraine, cyber defenders are seeing rising volumes of phishing assaults focusing on Ukrainian state companies and organizations throughout a number of trade sectors. SOC Prime has been on the cyber frontlines serving to Ukraine and its allies proactively defend towards Russia-affiliated assaults of any scale and detect adversarial TTPs. To assist organizations well timed detect malicious exercise from the UAC-0096 hack abusing Distant Utilities software program, SOC Prime’s Detection-as-Code platform offers entry to the total listing of curated Sigma guidelines addressing attacker TTPs coated within the final CERT-UA alert. All detections can be utilized throughout dozens of SIEM, EDR, and XDR options to assist groups meet the problem of time-consuming SIEM migration and guide tuning.

Click on on the Discover detections Click on under to entry devoted high-quality alerts and search queries enriched with related cyberthreat context, together with MITRE ATT&CK® references and CTI hyperlinks. To simplify the seek for devoted Sigma guidelines, SOC Prime Platform helps their filtering by customized tags “CERT-UA#5961” and “UAC-0096” primarily based on group and alert identifiers. In your comfort, any of those tags is obtainable to browse for related discovery content material.

Discover detections

Safety engineers can even automate their seek for indicators of compromise related to UAC-0096 malicious exercise by leveraging the brand new model of the Uncoder.IO software that now helps IOC conversion to a number of SIEM and XDR platforms. Merely paste the CERT-UA-provided file, host, or community IOCs into the person interface and choose the content material kind of your goal question to immediately create performance-optimized IOC queries able to run in your chosen setting. Uncoder.IO is a free undertaking constructed with privateness in thoughts: no authentication, no log assortment, and all information is saved session-based to your peace of thoughts.

Generation of IOC queries through Uncoder.IO based on the IOCs covered in the CERT-UA#5961 alert

Context of MITER ATT&CK

To dig into the deep context behind the UAC-0096 hacker collective’s malicious marketing campaign coated within the newest February CERT-UA alert, the entire above-mentioned Sigma guidelines are tagged with ATT&CK v12 which addresses the related ways and strategies:



sigma rule

preliminary entry

Phishing (T1566)

Operating from RAR Archive (through process_creation)

Suspicious information extracted from an archive (through file_event)

Extracting information straight from the mail consumer (through process_creation)

protection evasion

Masking (T1036)

Executable file title with suspicious KB prefix (through cmdline)

command and management

Distant Entry Software program (T1219)

Various distant entry software program (through safety)

Various distant entry software program (by way of the system)

Various distant entry software program (through process_creation)

In search of extra curated guidelines and queries to enhance your group’s cybersecurity posture? Discover SOC Prime’s Sigma guidelines search engine for related Sigma guidelines for detecting assaults exploiting distant utilities and guarantee your crew is all the time armed with proactive cyber protection capabilities.

The submit Distant Exploitation of Utilities: New Phishing Marketing campaign by UAC-0096 Group Focusing on Ukrainian Organizations appeared first on SOC Prime.

Remote Utilities Exploitation: New Phishing Campaign by the UAC-0096 Group Targeting Ukrainian Organizations