Threat Research

Threat Actor ‘UAC-0099’ Continues to Target Ukraine

Deepinstinct

Deep Instinct documents renewed UAC-0099 campaigns against Ukrainian targets that use social-engineered court summons and multiple infection vectors (RAR SFX with LNK, HTA, and a WinRAR ZIP exploit) to deploy a VBS-based backdoor named LonePage that contacts hardcoded C2 servers. The intrusions rely on PowerShell execution, scheduled tasks, and remote tasking (including screenshot and recon commands). #UAC-0099 #LonePage

Keypoints

  • UAC-0099 targeted Ukrainian staff with impersonated court summons emails delivering malicious attachments (RAR SFX, HTA, or specially crafted ZIP exploiting CVE-2023-38831).
  • The RAR SFX unpacked a docx.lnk shortcut (double-extension trick) that launched PowerShell, which decoded base64 blobs to drop a VBS (LonePage) and a decoy DOCX/PDF.
  • LonePage (VBS) creates a hidden PowerShell process, installs a scheduled task (every 3–4 minutes) to run the VBS, and contacts hardcoded C2 servers to retrieve tasking from an “upgrade.txt” file.
  • C2 responses can contain PowerShell to execute (e.g., screenshot capture or recon commands); results are returned to the same C2 via HTTP POST to a different port.
  • An HTA variant embeds VBScript that launches PowerShell and similarly drops a decoy document and scheduled task (4-minute cadence).
  • UAC-0099 exploited a WinRAR ZIP handling flaw (CVE-2023-38831) that causes a .cmd inside the archive to execute when a user double-clicks a seemingly benign file; patched in WinRAR 6.23.
  • Active C2 IPs and multiple file hashes (SFX, LNK, VBS, HTA, decoys, and CVE payloads) were published as IOCs.

MITRE Techniques

  • [T1566] Phishing – ‘sent an email impersonating the Lviv city court using the ukr.net email service.’
  • [T1204.002] User Execution: Malicious File – ‘attached is an executable file created by WinRAR … self-extracting archive (SFX)’.
  • [T1036] Masquerading – ‘a new file is created with a double extension, in this case docx.lnk … it’s a LNK shortcut disguised as a DOCX file.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – ‘the specially crafted LNK file executes PowerShell with malicious content:’
  • [T1027] Obfuscated Files or Information – ‘The malicious PowerShell code decodes two base64 blobs and writes the output into VBS and DOCX files.’
  • [T1053.005] Scheduled Task/Job – ‘creating a new scheduled task that executes the VBS file every three minutes.’
  • [T1071.001] Application Layer Protocol: Web Protocols – ‘hidden PowerShell process that communicates with a hardcoded C2 URL to fetch a text file.’
  • [T1113] Screen Capture – ‘This PowerShell code is responsible for taking a screenshot.’
  • [T1203] Exploitation for Client Execution – ‘exploited a known WinRAR vulnerability … the attacker creates an archive with a benign filename with a space after the file extension — for example, “poc.pdf .”’

Indicators of Compromise

  • [IP Address] C2 servers observed – 147.78.46[.]40, 196.196.156[.]2, 2.59.222[.]98
  • [File hash] Sample payloads (SFX/LNK/VBS) – d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6 (SFX), 0eec5a7373b28a991831d9be1e30976ceb057e5b701e732372524f1a50255c7 (LNK), and 24 more hashes
  • [File name] Decoys and artifacts – docx.lnk (double-extension LNK shortcut), upgrade.txt (C2 tasking file), poc.pdf . (WinRAR-crafted filename used in CVE-2023-38831 exploit)
  • [URL/POC] Public exploit reference – GitHub proof-of-concept for CVE-2023-38831 (POC linked from the report)

Deep Instinct observed a consistent technical chain across multiple delivery mechanisms: an initial spearphish email impersonating a court summons delivered either a WinRAR SFX archive, an HTA file, or a specially crafted ZIP exploiting CVE-2023-38831. The SFX unpacked a double-extension docx.lnk that masqueraded as a DOCX but executed PowerShell; that PowerShell base64-decodes two blobs, drops a decoy document and a VBS payload (LonePage), and schedules recurring execution. The HTA variant embeds VBScript that launches PowerShell and drops the same decoy/VBS artifacts, using a scheduled task with a four-minute cadence.

LonePage (VBS) spawns a hidden PowerShell process that contacts hardcoded C2 URLs to fetch an “upgrade.txt” file; if the response contains tasking (or is larger than one byte and includes ‘get-content’), the script executes or writes the returned code as bytes and runs it. Command results and stolen data (including screenshots via supplied PowerShell) are returned to the operator via HTTP POST to the C2 on a different port. In parallel, UAC-0099 exploited the WinRAR ZIP handling flaw by placing a filename with a trailing space and a .cmd entry so user interaction with a benign-seeming file causes the .cmd to execute; observed ZIPs contained different C2 paths and were generated seconds apart, indicating automated staging.

Observed technical artifacts include scheduled tasks that invoke VBS every 3–4 minutes, hidden PowerShell processes, base64-encoded payload blobs, upgrade.txt tasking files served from hardcoded C2 IPs, and multiple payload hashes (SFX, LNK, VBS, HTA, decoys, CVE payloads). These behaviors enable persistent remote tasking (recon, screenshot, arbitrary PowerShell execution) and are associated with the listed IPs and hashes above. Read more: https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint