UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

Cyber Threat Summary:
A new report from cybersecurity firm Deep Instinct linked a threat actor known as UAC-0099 to a series of attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. In the attack chain observed by researchers, the group has been seen leveraging phishing messages containing HTA, RAR, and LNK file attachments designed to deploy LONGEPAGE, a VBS malware that is capable of retrieving additional payloads from a C2 server including keyloggers, stealers, and screenshot malware. According to Deep Instinct, the actors are also relying on self-extracting (SFX) archives and bobby-trapped ZIP files which exploit the WinRAR vulnerability (CVE-2023-38831) to further distribute LONGEPAGE.

Security Officer Comments:
First documented in June 2023, UAC-0099 is known for targeting organizations and media entities residing in Ukraine for cyber espionage-related agendas. Despite the various infection vectors employed by this group, researchers note that they all rely on PowerShell and the creation of a scheduled task to execute their payload. While this tactic is simple, it has become effective in infecting targeted entities.

Suggested Correction(s):
Organizations that are using WinRAR should update to the latest version as soon as possible and train employees on how to detect and avoid various phishing lures.

IOCs:
https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine

Link(s):
https://thehackernews.com/2023/12/uac-0099-using-winrar-exploit-to-target.html