UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE.

“The threat actor targets Ukrainian employees working for companies outside of Ukraine,” cybersecurity firm Deep Instinct said in a Thursday analysis.

UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives.

The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE, a Visual Basic Script (VBS) malware that’s capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware.

WinRAR Vulnerability

The other attack sequence uses a specially crafted ZIP archive that’s susceptible to CVE-2023-38831, with Deep Instinct finding two such artifacts created by UAC-0099 on August 5, 2023, three days after WinRAR maintainers released a patch for the bug.

“The tactics used by ‘UAC-0099’ are simple, yet effective,” the company said. “Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.”

The development comes as CERT-UA warned of a new wave of phishing messages purporting to be outstanding Kyivstar dues to propagate a remote access trojan known as Remcos RAT. The agency attributed the campaign to UAC-0050.