The superior persistent menace (APT) group referred to as UAC-0063 has been noticed leveraging legit paperwork obtained by infiltrating one sufferer to assault one other goal with the aim of delivering a recognized malware dubbed HATVIBE.
“This analysis focuses on finishing the image of UAC-0063’s operations, notably documenting their growth past their preliminary give attention to Central Asia, concentrating on entities similar to embassies in a number of European international locations, together with Germany, the UK, the Netherlands, Romania, and Georgia,” Martin Zugec, technical options director at Bitdefender, mentioned in a report shared with The Hacker Information.
UAC-0063 was first flagged by the Romanian cybersecurity firm in Could 2023 in reference to a marketing campaign that focused authorities entities in Central Asia with an information exfiltration malware referred to as DownEx (aka STILLARCH). It is suspected to share hyperlinks with a recognized Russian state-sponsored actor referred to as APT28.
Merely weeks later, the Pc Emergency Response Workforce of Ukraine (CERT-UA) – which assigned the menace cluster the moniker – revealed that the hacking group has been operational since not less than 2021, attacking state our bodies within the nation with a keylogger (LOGPIE), an HTML Software script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and DownEx.
There may be proof that UAC-0063 has additionally focused varied entities in organizations in Central Asia, East Asia, and Europe, in line with Recorded Future’s Insikt Group, which has assigned the menace actor the identify TAG-110.
Earlier this month, cybersecurity agency Sekoia disclosed that it recognized a marketing campaign undertaken by the hacking crew that concerned utilizing paperwork stolen from the Ministry of International Affairs of the Republic of Kazakhstan to spear-phish targets and ship the HATVIBE malware.
The newest findings from Bitdefender reveal a continuation of this behaviour, with the intrusions in the end paving the best way for DownEx, DownExPyer, and a newly found USB knowledge exfiltrator codenamed PyPlunderPlug in not less than one incident concentrating on a German firm in mid-January 2023.
DownExPyer comes fitted with assorted capabilities to keep up a persistent reference to a distant server and obtain instructions to gather knowledge, execute instructions, and deploy extra payloads. The checklist of duties obtained from the command-and-control (C2) server is under –
- A3 – Exfiltrate recordsdata matching a particular set of extensions to C2
- A4 – Exfiltrate recordsdata and keystroke logs to C2 and delete them after transmission
- A5 – Execute instructions (by default the “systeminfo” operate is known as to reap system info)
- A6 – Enumerate the file system
- A7 – Take screenshots
- A11 – Terminate one other operating job
“The steadiness of DownExPyer’s core functionalities over the previous two years is a major indicator of its maturity and certain long-standing presence throughout the UAC-0063 arsenal,” Zugec defined. “This noticed stability means that DownExPyer was seemingly already operational and refined previous to 2022.”
Bitdefender mentioned it additionally recognized a Python script designed to report keystrokes – seemingly a precursor to LOGPIE – on one of many compromised machines that was contaminated with DownEx, DownExPyer, and HATVIBE.
“UAC-0063 exemplifies a classy menace actor group characterised by its superior capabilities and chronic concentrating on of presidency entities,” Zugec mentioned.
“Their arsenal, that includes subtle implants like DownExPyer and PyPlunderPlug, mixed with well-crafted TTPs, demonstrates a transparent give attention to espionage and intelligence gathering. The concentrating on of presidency entities inside particular areas aligns with potential Russian strategic pursuits.”
