UAC-0050 Phishing Steals Data from Ukrainian & Polish Agencies

UAC-0050 phishing campaign

In the shadowy realms of cyber warfare, a new and alarming phishing campaign emerges, orchestrated by the notorious UAC-0050 group. This campaign, marked by its precision and malign intent, targets Ukraine’s public and private sectors. December 2023 witnessed the resurgence of UAC-0050, unleashing a sinister wave of attacks leveraging the devious Remcos RAT and Meduza Stealer against Ukrainian and Polish government agencies.

This sophisticated operation involves phishing emails skillfully disguised as communications from Kyivstar and the Security Service of Ukraine. These emails harbor treacherous attachments, leading unsuspecting victims to inadvertently trigger the download and activation of Remcos RAT. The malware, adeptly concealed within a series of encrypted files and executed via cunningly crafted macros, seizes control of the infected systems.

On December 21, 2023, CERT-UA revealed two phishing email campaigns, one masquerading as outstanding balance notifications from Kyivstar, and the other impersonating the Security Service of Ukraine. These deceptive emails featured topics related to Kyivstar balances and included a bait ZIP file attachment.

CERT-UA’s vigilant analysis and warnings have been instrumental in uncovering this perilous campaign. As UAC-0050 adapts and refines its tactics, utilizing services of a Malaysian provider and the autonomous system AS44477 for hosting, the urgency for enhanced cybersecurity vigilance becomes ever more apparent.

In response to this escalating threat, SOC Prime has curated a robust collection of detection algorithms. These tools are specifically designed to identify the malicious activities of UAC-0050 and traces of Remcos RAT infection. By aligning with the MITRE ATT&CK® framework and leveraging the flexibility of Sigma rules, these algorithms offer a formidable defense against this insidious campaign.

Security professionals, armed with the open-source Uncoder IO, can now conduct retrospective IOC matching on a grand scale. This platform allows for the swift conversion of critical threat intelligence into custom IOC queries, bolstering the capabilities of cyber defenders to proactively hunt and neutralize these looming threats.

The battle against UAC-0050’s phishing campaign underscores a pivotal moment in cybersecurity. It is a stark reminder of the relentless ingenuity of cyber adversaries and the ever-present need for robust and adaptive security strategies to safeguard our digital frontiers.