A threat actor goes by the name UAC-0099 targeting Ukraine by exploiting a high severity vulnerability in WinRAR to deliver the LONEPAGE malware.
UAC-0099 targeting Ukraine since 2022, it was spotted targeting Ukrainian employees working for companies outside of Ukraine. In May 2023, CERT-UA warned of cyber espionage attacks carried out by UAC-0099 against state organizations and media representatives of Ukraine.
The group used different infection vectors, the researchers detailed phishing attacks using HTA, RAR, and LNK file attachments. The last-stage malware is the Visual Basic Script (VBS) malware LONEPAGE.
The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of the Visual Basic Script (VBS) malware LONEPAGE. The malicious code can retrieve additional payloads, including keyloggers and info-stealers.
Deep Instinct reported that the group UAC-0099 exploited the WinRAR flaw CVE-2023-38831, a POC for the issue is available on GitHub. The WinRAR version 6.23 which was released on August 2, 2023, addressed the vulnerability.
- The attacker creates an archive with a benign filename with a space after the file extension — for example, “poc.pdf .”
- The archive includes a folder with the same name, including the space. The folder includes an additional file with the same name as the benign file, including a space, followed by a “.cmd” extension.
- When a user opens a ZIP file containing these files in an unpatched version of WinRAR and double-clicks on the benign file, the file with the “.cmd” extension is executed instead.
Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.The researchers pointed out that this attack technique can also deceive security-savvy victims. The POC for the vulnerability in GitHub. A patched WinRAR (version 6.23) was released on August 2, 2023.
