"Court Summons" Phishing Lure Used in Cyberattacks on Ukrainian Government and Defence Sector
The National Cyber Security Incidents Response Team (CERT-UA) has detected and investigated a new series of targeted cyberattacks on government agencies and enterprises within the defence-industrial complex.
The attacks are conducted by the UAC-0099 group, which has substantially updated its toolkit and deployed new malware strains: MATCHBOIL, MATCHWOK, and DRAGSTARE. The threat actors employ a multi-stage attack chain designed to exfiltrate data and establish remote control over compromised systems.
The attack commences with phishing emails, frequently masquerading as official documents such as "court summonses". These emails contain a link, sometimes shortened, to a legitimate file-sharing service. Following this link initiates the download of a ZIP archive that contains a malicious HTA file, marking the beginning of the multi-stage attack.
Executing the HTA file runs VBScript code. This script creates two files on the victim's computer: one with HEX-encoded data and another with PowerShell code. A scheduled task is created to ensure this code is executed. In the next step, the PowerShell script decodes the data, forming an executable loader file for MATCHBOIL, which establishes persistence in the system via its own scheduled task.
The group's primary targets are the state authorities of Ukraine, units of the Defence Forces, and enterprises operating in the interests of the defence-industrial complex.
The CERT-UA investigation has identified three new malware samples, indicating an evolution in the group's tactics, techniques, and procedures.
MATCHBOIL (Loader)
The main purpose of this program is to deliver the primary malicious payload to the compromised computer. MATCHBOIL collects basic system information (CPU ID, BIOS serial number, username, MAC address) to identify the victim on the command-and-control server. It then downloads the next component of the attack, saves it as a COM file, and creates a registry key to ensure its automatic execution.
MATCHWOK (Backdoor)
This provides the attackers with the ability to remotely execute arbitrary PowerShell commands on the compromised system. Commands are received from the command-and-control server in an encrypted format and are executed via the PowerShell interpreter, which the program first renames and moves. The backdoor includes anti-analysis features, such as checking the system for running processes of tools like Wireshark, Fiddler, or Procmon.
DRAGSTARE (Stealer)
This malware conducts comprehensive data collection:
- System information: computer name, data on the OS, processors, memory, disks, and network interfaces.
- Browser data: steals authentication data (logins, passwords, cookies) from Chrome and Firefox, using DPAPI for decryption.
Files: performs a recursive search on the desktop, in documents, and in downloads for files with the extensions .docx, .doc, .xls, .pdf, .ovpn, .rdp, and .txt. The found files are archived and sent to the attackers' server.
RECOMMENDATIONS FROM CERT-UA:
To counter the described threat and enhance the overall level of cybersecurity, the following measures must be taken:
- Strengthen controls over incoming correspondence. Train employees to identify phishing emails and to treat emails containing links to download archives with extreme caution.
- Restrict script execution. Configure security policies to block or monitor the execution of HTA files and VBS/PowerShell scripts, especially those launched from non-standard locations.
- Implement endpoint monitoring (EDR). Track the creation of new scheduled tasks, entries in registry autorun keys, and suspicious activity from system utilities (powershell.exe, mshta.exe).
- Ensure the protection of the network perimeter. Use modern intrusion detection systems (IDS/IPS) and proxy servers to filter and analyse traffic.
- Maintain up-to-date software. Regularly update operating systems, browsers, and antivirus databases to protect against known vulnerabilities.