The Laptop Emergency Response Group of Ukraine (CERT-UA) on Tuesday warned of renewed exercise from an organized felony group it tracks as UAC-0173 that entails infecting computer systems with a distant entry trojan named DCRat (aka DarkCrystal RAT).
The Ukrainian cybersecurity authority stated it noticed the newest assault wave beginning in mid-January 2025. The exercise is designed to focus on the Notary of Ukraine.
The an infection chain leverages phishing emails that declare to be despatched on behalf of the Ministry of Justice of Ukraine, urging recipients to obtain an executable, which, when launched, results in the deployment of the DCRat malware. The binary is hosted in Cloudflare’s R2 cloud storage service.
“Having thus offered major entry to the notary’s automated office, the attackers take measures to put in extra instruments, particularly, RDPWRAPPER, which implements the performance of parallel RDP periods, which, together with using the BORE utility, means that you can set up RDP connections from the Web on to the pc,” CERT-UA stated.
The assaults are additionally characterised by way of different instruments and malware households like FIDDLER for intercepting authentication knowledge entered within the internet interface of state registers, NMAP for community scanning, and XWorm for stealing delicate knowledge, resembling credentials and clipboard content material.
Moreover, the compromised methods are used as a conduit to draft and ship malicious emails utilizing the SENDMAIL console utility in an effort to additional propagate the assaults.
The event comes days after CERT-UA attributed a sub-cluster throughout the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to the exploitation of a now-patched safety flaw in Microsoft Home windows (CVE-2024-38213, CVSS rating: 6.5) within the second half of 2024 by way of booby-trapped paperwork.
The assault chains have been discovered to execute PowerShell instructions accountable for displaying a decoy file, whereas concurrently launching extra payloads within the background, together with SECONDBEST (aka EMPIREPAST), SPARK, and a Golang loader named CROOKBAG.
The exercise, attributed to UAC-0212, focused provider firms from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with a few of them recorded in opposition to greater than two dozen Ukrainian enterprises specializing in growth of automated course of management methods (ACST), electrical works, and freight transportation.
A few of these assaults have been documented by StrikeReady Labs and Microsoft, the latter of which is monitoring the risk group below the moniker BadPilot.