Aug 06, 2025Ravie LakshmananCyber Espionage / Malware
The Pc Emergency Response Staff of Ukraine (CERT-UA) has warned of cyber assaults carried out by a menace actor referred to as UAC-0099 concentrating on authorities companies, the protection forces, and enterprises of the defense-industrial advanced within the nation.
The assaults, which leverage phishing emails as an preliminary compromise vector, are used to ship malware households like MATCHBOIL, MATCHWOK, and DRAGSTARE.
UAC-0099, first publicly documented by the company in June 2023, has a historical past of concentrating on Ukrainian entities for espionage functions. Prior assaults have been noticed leveraging safety flaws in WinRAR software program (CVE-2023-38831, CVSS rating: 7.8) to propagate a malware referred to as LONEPAGE.
The newest an infection chain includes utilizing e-mail lures associated to court docket summons to entice recipients into clicking on hyperlinks which might be shortened utilizing URL shortening providers like Cuttly. These hyperlinks, that are despatched through UKR.NET e-mail addresses, level to a double archive file containing an HTML Software (HTA) file.
The execution of the HTA payload triggers the launch of an obfuscated Visible Primary Script file that, in flip, creates a scheduled job for persistence and finally runs a loader named MATCHBOIL, a C#-based program that is designed to drop extra malware on the host.
This features a backdoor referred to as MATCHWOK and a stealer named DRAGSTARE. Additionally written utilizing the C# programming language, MATCHWOK is able to executing PowerShell instructions and passing the outcomes of the execution to a distant server.
DRAGSTARE, then again, is supplied to gather system info, information from internet browsers, recordsdata matching a particular listing of extensions (“.docx”, “.doc”, “.xls”, “.txt”, “.ovpn”, “.rdp”, “.txt”, and “.pdf”) from the “Desktop”, “Paperwork”, “Downloads” folders, screenshots, and working PowerShell instructions obtained from an attacker-controlled server.
The disclosure comes just a little over a month after ESET printed an in depth report cataloging Gamaredon’s “relentless” spear-phshing assaults in opposition to Ukrainian entities in 2024, detailing its use of six new malware instruments which might be engineered for stealth, persistence, and lateral motion –
PteroDespair, a PowerShell reconnaissance software to gather diagnostic information on beforehand deployed malware
PteroTickle, a PowerShell weaponizer that targets Python purposes transformed into executables on fastened and detachable drives to facilitate lateral motion by injecting code that possible serves PteroPSLoad or one other PowerShell downloader
PteroGraphin, a PowerShell software to determine persistence utilizing Microsoft Excel add-ins and scheduled duties, in addition to create an encrypted communication channel for payload supply, by the Telegraph API
PteroStew, a VBScript downloader much like PteroSand and PteroRisk) that shops its code in alternate information streams related to benign recordsdata on the sufferer’s system
PteroQuark, a VBScript downloader launched as a brand new element inside the VBScript model of the PteroLNK weaponizer
PteroBox, a PowerShell file stealer resembling PteroPSDoor however exfiltrating stolen recordsdata to Dropbox
“Gamaredon’s spearphishing actions considerably intensified throughout the second half of 2024,” safety researcher Zoltán Rusnák mentioned. “Campaigns usually lasted one to 5 consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or XHTML recordsdata using HTML smuggling methods.”
The assaults usually end result within the supply of malicious HTA or LNK recordsdata that execute embedded VBScript downloaders equivalent to PteroSand, together with distributing up to date variations of its present instruments like PteroPSDoor, PteroLNK, PteroVDoor, and PteroPSLoad.
Different notable elements of the Russian-aligned menace actor’s tradecraft embrace the usage of fast-flux DNS methods and the reliance on professional third-party providers like Telegram, Telegraph, Codeberg, and Cloudflare tunnels to obfuscate its command-and-control (C2) infrastructure.
“Regardless of observable capability limitations and abandoning older instruments, Gamaredon stays a big menace actor on account of its steady innovation, aggressive spearphishing campaigns, and protracted efforts to evade detections,” ESET mentioned.
