2,000 Computers Infected: Inside UAC-0027’s Devastating Ukraine Attack

In the ever-evolving landscape of cybersecurity threats, one name has recently emerged as a formidable adversary: the UAC-0027 hacking group. This enigmatic collective has taken center stage in the realm of cyber warfare, orchestrating a sophisticated and large-scale cyber attack against Ukraine that has left over 2,000 computers infected with the notorious DIRTYMOE (PURPLEFOX) malware.

At the dawn of February 2024, the digital defenses of Ukrainian organizations faced a relentless onslaught. While the infamous UAC-0050 group continued its relentless cyberattacks on Ukraine, another malevolent force, the UAC-0027 hacking group, initiated a malicious campaign of its own.

At the heart of this cyber onslaught lies the DIRTYMOE (PURPLEFOX) malware, a modular and insidious threat that has lingered in the shadows of the cyber world for over five years. This malware is a Swiss Army knife of cybercrime, granting its wielders the power to establish remote access to targeted systems, launch devastating DDoS attacks, and engage in cryptocurrency mining.

DIRTYMOE’s modus operandi involves infecting computers through the exploitation of software vulnerabilities. Often, the initial breach occurs when unwitting users install seemingly innocuous software packages that contain MSI installers. Once inside a system, DIRTYMOE establishes a backdoor with a rootkit, making it exceptionally challenging to eradicate.

One of DIRTYMOE’s most insidious traits is its self-propagation capability. It can spread like wildfire, either by brute-forcing authentication credentials or exploiting known vulnerabilities. To ensure resilience in communicating with its command and control (C2) infrastructure, DIRTYMOE employs a multi-pronged approach, including obtaining A-record values from statically defined domain names through both local and external DNS servers. This intricate web of communication is further obfuscated by concealing IP addresses in the operating system registry and DNS queries.

As investigators delve deeper into the labyrinthine world of the UAC-0027 hacking group, they have uncovered 486 IP addresses associated with intermediate control servers. A majority of these servers, shockingly, belong to compromised hardware located in China. What’s more alarming is the rate at which new IP addresses are added daily, creating a dynamic and ever-expanding network of cyber threats.

To protect against this relentless adversary, CERT-UA recommends vigilant monitoring and proactive measures. They suggest the following steps to detect potential signs of infection:

1. Network Connections Investigation: Scrutinize network connections, focusing on the list of IP addresses provided in CERT-UA’s research. Be alert for outbound connections on “high” network ports (10,000+).

2. Registry Check Using regedit.exe: Utilize the regedit.exe utility to inspect registry values under specific keys, depending on the Windows version.

3. Event Viewer Analysis: Leverage the Event Viewer utility to scrutinize entries in the “Application” log with event IDs 1040 and 1042.

4. “C:\Program Files” Directory Analysis: Examine the “C:\Program Files” directory for folders with cryptic, arbitrarily generated names.

5. Persistent Execution Check: Check for the malware’s persistence by examining the service generation. However, the presence of a rootkit complicates the detection and removal process.

To rid a system of this menacing malware, CERT-UA recommends two methods:

1. Download and install “Avast Free Antivirus” from the official manufacturer’s website. Initiate scanning in “SMART” mode, reboot the system, and proceed with the scanning process to detect and remove modules.

2. Download the affected computer using LiveUSB or connect its hard drive to another computer. Manually delete the file “MsXXXXXXXXApp.dll” and “.sdb” modules, then boot the system in normal mode and remove the service from the registry.

Crucially, regardless of the chosen method, it is imperative to enable the operating system’s built-in firewall (“Firewall”) to thwart subsequent infections facilitated by DIRTYMOE’s self-propagation capabilities. Create a rule to block inbound information flows on specific network ports, including 135, 137, 139, and 445.