New Cyber-Espionage Campaign Hits Europe: UAC-0063 Threat Actor Expands Operations

Bitdefender Labs has issued a warning about an active cyber-espionage campaign conducted by the threat actor known as UAC-0063. Initially targeting organizations in Central Asia, UAC-0063 has expanded its operations into European countries, raising significant cybersecurity concerns for government institutions and diplomatic missions.

The shifting geopolitical dynamics in Central Asia have played a crucial role in fostering an environment conducive to cyber espionage. “Since the start of the Ukraine war, the geopolitical landscape of Central Asia has undergone significant shifts, impacting the region’s relationships with both Russia and China,” Bitdefender notes. As Russia’s influence wanes due to its military engagements in Ukraine, China’s economic initiatives, particularly through the Belt and Road Initiative (BRI), are growing in prominence. These tensions have created a fertile ground for cyber-espionage operations.

Bitdefender has been monitoring UAC-0063 since 2022, detailing the group’s sophisticated tactics and infrastructure. Initially, intelligence on this actor was limited, but subsequent research and insights from CERT-UA have shed light on their operations, which now target European entities in Germany, the UK, the Netherlands, Romania, and Georgia.

While there are similarities between UAC-0063’s tactics and those of Russian cyber-espionage group APT28 (also known as BlueDelta), the connection remains inconclusive. “There is a moderate confidence assessment by CERT-UA that UAC-0063 is linked to the Russian cyber-espionage group APT28. However, the specific basis for this assessment remains unclear,” the report states.

UAC-0063 employs an array of sophisticated malware and attack techniques, including:

Weaponized Documents: “Threat actors exploited previously compromised victims by weaponizing exfiltrated Microsoft Word documents,” Bitdefender explains. These infected documents were then used to deliver the HATVIBE malware to new targets.
USB Data Exfiltration: The malware PyPlunderPlug was discovered on an infected system, facilitating covert USB data exfiltration.
Advanced Payloads: DownEx (written in C++) and DownExPyer (Python-based, also known as CHERRYSPY) enable long-term espionage capabilities.
Keylogging and Surveillance: Bitdefender identified a keylogger, believed to be a precursor to LOGPIE, indicating advanced surveillance capabilities.

Bitdefender’s research highlights UAC-0063’s deceptive attack methods. Victims receive emails containing malicious links rather than direct attachments, reducing the likelihood of detection by email security systems. “The latest infection attempt was observed on November 21, 2024, containing a link to a document file named Инфо о запуске нового проекта ec.doc hosted on server https://cloud-mail[.]ink/download.php,” the report details.

Once a victim opens the infected document, they encounter a blurred page with a deceptive warning: “Macros have been disabled.” Users who enable macros inadvertently execute a hidden VBA script that deploys the HATVIBE loader, creating persistent access for attackers.

Bitdefender Labs’ investigation uncovered a vast infrastructure supporting UAC-0063’s espionage operations. The group actively maintains its command-and-control (C2) servers, renewing TLS certificates to ensure operational longevity. Some of the known C2 domains include:

lanmangraphics[.]com
errorreporting[.]net
internalsecurity[.]us
tieringservice[.]com
automation-embedding[.]com

These domains serve as critical nodes for malware deployment and data exfiltration.

For a deeper technical dive into UAC-0063’s attack methodologies, visit Bitdefender Labs’ official blog post on the research findings.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply