The Cyber Command of the State Emergency Service of Ukraine (CERT-UA) has identified new cases of hacker attacks on state bodies and enterprises of the defense-industrial complex. It all starts with the sending of phishing emails, often disguised as official documents, such as "court summonses."
The Cyber Command of the State Emergency Service of Ukraine (CERT-UA) has identified new cases of hacker attacks on state bodies and enterprises of the defense-industrial complex. It all starts with the sending of phishing emails, often disguised as official documents, such as "court summonses."
The attacks are carried out by the UAC-0099 group, which has significantly updated its tools and started using new malware programs MATCHBOIL, MATCHWOK, and DRAGSTARE. The attackers use a multi-stage chain of attacks aimed at stealing data and gaining remote control over systems, the State Special Communications Service reports .
The emails contain a link (sometimes shortened) to a legitimate file-sharing service. Clicking on it initiates the download of a ZIP archive containing a malicious HTA file. This is the beginning of a multi-stage attack.
Executing the HTA file launches VBScript code. This script creates two files on the victim's computer: one with HEX-encoded data, the other with PowerShell code. A scheduled task is created to ensure the execution of this code. The next step is that the PowerShell script decodes the data and creates an executable file of the MATCHBOIL loader from it, which is fixed on the system through its own scheduled task.
CERT-UA research has identified three new malware samples:
MATCHBOIL — the program's task is to deliver the main malicious payload to the affected computer. It collects basic system information (processor ID, BIOS serial number, username, MAC address) to identify the victim on the management server. It then downloads the next attack component, saves it as a COM file, and creates a registry key to ensure its automatic launch.
MATCHWOK — allows attackers to remotely execute arbitrary PowerShell commands on the affected system. The commands come from the management server in encrypted form and are executed through the PowerShell interpreter, which the program pre-renames and moves. The backdoor has anti-analysis elements, in particular, it checks the system for running processes of tools such as Wireshark, Fiddler, or Procmon.
DRAGSTARE — performs a comprehensive data collection: system information (computer name, OS data, processors, memory, disks, network interfaces); as well as browser data — steals authentication data (logins, passwords, cookies) from Chrome and Firefox, using DPAPI for decryption; performs a recursive search on the desktop, in documents and file downloads with the extensions .docx, .doc, .xls, .pdf, .ovpn, .rdp, .txt. The found files are archived and sent to the attackers' server.
