UAC-0184 Malware Utilizes Bitsadmin and HTA for Stealthy Attacks

A sophisticated attack chain linked to the threat group UAC-0184 has been identified as utilizing Windows’ native bitsadmin tool alongside HTA files to discreetly deploy harmful payloads onto targeted computers. This campaign is primarily directed at Ukraine, with strong evidence indicating that military-related entities, including individuals associated with the Ukrainian Defence Forces, are the main targets.

Social Engineering and Initial Attack Vector

The attackers employ social engineering tactics centered around enticing topics such as legal matters, combat footage, and personal contact requests to lure victims into opening infected files. Upon opening these documents, which may appear as PDFs, Word, or Excel files, bitsadmin is activated in the background to retrieve an HTA file from a server controlled by the attackers. The file is executed using mshta.exe, advancing the infection without triggering immediate alerts on the victim’s system.

Synaptic Security analysts reported to Cyber Security News (CSN) that this delivery technique is gated, meaning the payload is only released to systems that meet specific criteria, thereby avoiding detection by sandbox environments and security researchers.

Advanced Delivery Mechanisms

This conditional delivery system complicates the study of the malware and allows attackers to operate without drawing attention for extended periods. Once executed, the HTA file runs a hidden PowerShell command to download a ZIP archive from the attacker’s server at IP address 169.40.135.35. The archive is unpacked into a directory in the AppData folder, launching two files: a music visualizer application named Cluster-Overlay64.exe and a decoy PDF named Scan_001.pdf, which serves to distract the user.

The full suite of tools used by UAC-0184 demonstrates notable operational expertise. The final phase of the infection chain involves repurposing PassMark BurnInTest network components as a covert command-and-control channel, using UDP port 31339 for peer discovery traffic. This method leverages a legitimate, Microsoft-signed software stack, providing the attackers with a credible cover identity within a trusted process tree.

Implications and Defensive Measures

While the use of bitsadmin for file downloads is not new, its combination with HTA file execution is a strategic move that helps the malware blend with typical Windows background activities. Bitsadmin, a Windows command-line tool originally intended for background file transfers, often goes unnoticed by users and endpoint security systems.

Once the HTA file is executed, it drops a package containing Cluster-Overlay64.exe, openvr_api.dll, filter.bin, and kernel-diag.lib in the ApplicationData32 folder. The actual malicious code is hidden within DLL files and encoded blobs, decrypted at runtime through a multi-layered process involving XOR operations and LZNT1 decompression. The final payload is then side-loaded into VSLauncher.exe, a legitimate Microsoft-signed Visual Studio binary, providing a trustworthy facade.

Security professionals should monitor the use of bitsadmin and mshta.exe together, especially when unusual temporary file patterns like ~tmp(…).hta are observed. Network teams are advised to watch for UDP traffic to 224.0.0.255 on port 31339, a repurposed address for command-and-control communications. Unexpected file creations in %APPDATA%ApplicationData32 or the presence of VSLauncher.exe outside a legitimate Visual Studio path warrant immediate investigation.

Indicators of Compromise (IoCs) include IP address 169.40.135.35, various HTA stage-1 payload URLs, and specific SHA-256 hashes for payload components. Defenders should remain vigilant and employ comprehensive monitoring to counteract these sophisticated tactics.