Threat Research

Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

iocOne
Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

CERT-UA has reported a resurgence of the criminal group UAC-0173, which has been targeting Ukrainian notary offices to gain unauthorized access to state registers for financial gain. Despite defensive efforts by the Ministry of Justice and other agencies, the group employs sophisticated malware and techniques to evade security measures. Affected: Ukraine, Ukrainian notary offices

Keypoints :

  • UAC-0173 group targets Ukrainian notary offices for cyberattacks.
  • The group utilizes malware such as DARKCRYSTALRAT (DCRAT) and tools like RDPWRAPPER and FIDDLER.
  • Malicious emails disguised as official communications from the Ministry of Justice were used to deliver malware.
  • Initial access is gained through malicious attachments like β€œHAKA3.exe”.
  • The attacks are part of a broader cyber-espionage campaign against Ukraine’s public records systems.
  • CERT-UA and the Ministry of Justice have implemented measures to secure affected systems.
  • Notaries are advised to remain vigilant and report suspicious activities.
  • Collaboration between law enforcement and cybersecurity agencies is crucial in countering these threats.

MITRE Techniques :

  • T1071 – Application Layer Protocol: The group used common applications and services for their malware communications.
  • T1078 – Valid Accounts: The attackers leveraged valid accounts to establish unauthorized access to systems.
  • T1553 – Subvert Trust Controls: User Account Control (UAC) was bypassed using RDPWRAPPER, enabling unauthorized access.
  • T1210 – Exploit Public-Facing Application: Malicious links in emails led to the exploitation of vulnerable applications on notary systems.
  • T1071.001 – Application Layer Protocol: Usage of HTTP/S for command and control communications for malware.

Indicator of Compromise :

  • [File Hash] 3288c284561055044c489567fd630ac2
  • [File Hash] cbad5b2ca73917006791882274f769e8
  • [File Hash] A6b692e0ed3d5cd6fd20820dd06608ac
  • [Malicious URL] hXXps://87.120.126[.]48/1pm
  • [Malicious URL] hXXps://194[.]0.234.155/for your information.exe

Full Story: https://thecyberexpress.com/uac-0173-cyberattack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint