The superior persistent menace (APT) group often called UAC-0063 has been noticed leveraging reputable paperwork obtained by infiltrating one sufferer to assault one other goal with the objective of delivering a identified malware dubbed HATVIBE.
“This research focuses on completing the picture of UAC-0063’s operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the UK, the Netherlands, Romania, and Georgia,” Martin Zugec, technical options director at Bitdefender, mentioned in a report shared with The Hacker Information.
UAC-0063 was first flagged by the Romanian cybersecurity firm in Might 2023 in reference to a marketing campaign that focused authorities entities in Central Asia with a knowledge exfiltration malware often called DownEx (aka STILLARCH). It is suspected to share hyperlinks with a identified Russian state-sponsored actor referred to as APT28.
Merely weeks later, the Laptop Emergency Response Crew of Ukraine (CERT-UA) – which assigned the menace cluster the moniker – revealed that the hacking group has been operational since no less than 2021, attacking state our bodies within the nation with a keylogger (LOGPIE), an HTML Software script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and DownEx.
There’s proof that UAC-0063 has additionally focused numerous entities in organizations in Central Asia, East Asia, and Europe, in keeping with Recorded Future’s Insikt Group, which has assigned the menace actor the identify TAG-110.
Earlier this month, cybersecurity agency Sekoia disclosed that it recognized a marketing campaign undertaken by the hacking crew that concerned utilizing paperwork stolen from the Ministry of Overseas Affairs of the Republic of Kazakhstan to spear-phish targets and ship the HATVIBE malware.
The newest findings from Bitdefender display a continuation of this behaviour, with the intrusions in the end paving the way in which for DownEx, DownExPyer, and a newly found USB knowledge exfiltrator codenamed PyPlunderPlug in no less than one incident concentrating on a German firm in mid-January 2023.
DownExPyer comes fitted with diversified capabilities to take care of a persistent reference to a distant server and obtain instructions to gather knowledge, execute instructions, and deploy further payloads. The listing of duties obtained from the command-and-control (C2) server is beneath –
- A3 – Exfiltrate information matching a particular set of extensions to C2
- A4 – Exfiltrate information and keystroke logs to C2 and delete them after transmission
- A5 – Execute instructions (by default the “systeminfo” perform is known as to reap system info)
- A6 – Enumerate the file system
- A7 – Take screenshots
- A11 – Terminate one other working process
“The stability of DownExPyer’s core functionalities over the past two years is a significant indicator of its maturity and likely long-standing presence within the UAC-0063 arsenal,” Zugec defined. “This observed stability suggests that DownExPyer was likely already operational and refined prior to 2022.”
Bitdefender mentioned it additionally recognized a Python script designed to report keystrokes – seemingly a precursor to LOGPIE – on one of many compromised machines that was contaminated with DownEx, DownExPyer, and HATVIBE.
“UAC-0063 exemplifies a sophisticated threat actor group characterized by its advanced capabilities and persistent targeting of government entities,” Zugec mentioned.
“Their arsenal, featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with potential Russian strategic interests.”
