The Laptop Emergency Response Staff of Ukraine (CERT-UA) on Tuesday warned of renewed exercise from an organized prison group it tracks as UAC-0173 that includes infecting computer systems with a distant entry trojan named DCRat (aka DarkCrystal RAT).
The Ukrainian cybersecurity authority stated it noticed the newest assault wave beginning in mid-January 2025. The exercise is designed to focus on the Notary of Ukraine.
The an infection chain leverages phishing emails that declare to be despatched on behalf of the Ministry of Justice of Ukraine, urging recipients to obtain an executable, which, when launched, results in the deployment of the DCRat malware. The binary is hosted in Cloudflare’s R2 cloud storage service.
“Having thus supplied main entry to the notary’s automated office, the attackers take measures to put in extra instruments, particularly, RDPWRAPPER, which implements the performance of parallel RDP periods, which, together with using the BORE utility, lets you set up RDP connections from the Web on to the pc,” CERT-UA stated.
The assaults are additionally characterised by means of different instruments and malware households like FIDDLER for intercepting authentication information entered within the net interface of state registers, NMAP for community scanning, and XWorm for stealing delicate information, reminiscent of credentials and clipboard content material.
Moreover, the compromised programs are used as a conduit to draft and ship malicious emails utilizing the SENDMAIL console utility with a view to additional propagate the assaults.
The event comes days after CERT-UA attributed a sub-cluster inside the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to the exploitation of a now-patched safety flaw in Microsoft Home windows (CVE-2024-38213, CVSS rating: 6.5) within the second half of 2024 through booby-trapped paperwork.
The assault chains have been discovered to execute PowerShell instructions liable for displaying a decoy file, whereas concurrently launching extra payloads within the background, together with SECONDBEST (aka EMPIREPAST), SPARK, and a Golang loader named CROOKBAG.
The exercise, attributed to UAC-0212, focused provider corporations from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with a few of them recorded in opposition to greater than two dozen Ukrainian enterprises specializing in improvement of automated course of management programs (ACST), electrical works, and freight transportation.
A few of these assaults have been documented by StrikeReady Labs and Microsoft, the latter of which is monitoring the menace group below the moniker BadPilot.
