The Ukrainian menace intelligence group UAC-0099 has considerably advanced its cyber warfare capabilities, deploying a complicated new malware toolkit concentrating on Ukrainian state authorities, Protection Forces, and protection industrial enterprises.
The Nationwide Cyber Incident Response Group CERT-UA has documented a collection of coordinated assaults using HTA (HTML Utility) information as the first supply mechanism for the newly recognized MATCHBOIL loader malware.
These assaults start with rigorously crafted phishing emails, predominantly despatched from UKR.NET addresses, masquerading as official courtroom summons.
Instance of an electronic mail and a decoy file (Supply – CERT-UA)
The emails comprise hyperlinks to legit file-sharing companies, together with shortened URLs, which redirect victims to obtain double-archived information containing malicious HTA parts.
This social engineering method exploits the perceived legitimacy of authorized documentation to bypass preliminary person suspicion.
CERT-UA analysts recognized that the HTA information comprise closely obfuscated VBScript designed to determine a number of persistence mechanisms on compromised programs.
Upon execution, the malicious script creates a number of important information together with “documenttemp.txt” containing HEX-encoded information, “temporarydoc.txt” with PowerShell code, and establishes a scheduled process named “PdfOpenTask” for sustained system entry.
The menace actors have developed a multi-component malware ecosystem consisting of three main instruments: MATCHBOIL serves because the preliminary loader, MATCHWOK capabilities as a backdoor for distant command execution, and DRAGSTARE operates as a complete information stealer.
This trinity of malicious software program demonstrates the group’s development from earlier campaigns and suggests a shift towards extra persistent, multi-stage assault operations.
An infection Mechanism and Persistence Structure
The MATCHBOIL loader, developed in C#, implements a complicated multi-stage deployment course of that ensures persistent system compromise.
HTA file content material and decoded VBScript code (Supply – CERT-UA)
The preliminary HTA file execution triggers the creation of the scheduled process “PdfOpenTask” utilizing the command:-
schtasks.exe /create /tn PdfOpenTask /tr “powershell.exe -WindowStyle Hidden -executionpolicy bypass -noprofile -c Invoke-Expression (Get-Content material ‘%TMPpercenttemporarydoc.txt’ -Uncooked)” /sc as soon as /st 12:02 /f
This process converts HEX-encoded information into executable bytes, writes them to “%PUBLICpercentDownloadsAnimalUpdate.txt”, then strikes the file to “AnimalUpdate.exe” whereas establishing one other scheduled process “AnimalSoftUpdateAnimalSoftware” for execution.
The loader subsequently gathers system fingerprinting information together with CPU {hardware} identifiers, BIOS serial numbers, and MAC addresses, transmitting this info through HTTP headers to command-and-control servers hosted on domains like egyptanimals[.]com and geostat[.]lat.
Equip your SOC with full entry to the most recent menace information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
