Ukraine’s CERT-UA warns of phishing attacks by UAC-0099 targeting defense sectors, using malware like MATCHBOIL, MATCHWOK, and DRAGSTARE.Ukraine’s CERT-UA warns of phishing attacks by threat actor UAC-0099 targeting government and defense sectors, delivering malware like MATCHBOIL and DRAGSTARE.The National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA investigated multiple attacks against state authorities, the Defense Forces, and enterprises of the defense-industrial complex of Ukraine.The attack chain starts with phishing emails, often titled “court summons”, sent via UKR.NET. The messages contain links to legit file services hosting a double archive with an HTA file. When opened, the HTA runs obfuscated VBScript that drops files and creates a scheduled task to execute PowerShell code. This code decodes HEX data, writes it to a file, renames it to “AnimalUpdate.exe,” and sets it to run regularly, activating the MATCHBOIL loader. Attackers were also spotted deploying additional malware like the MATCHWOK backdoor and DRAGSTARE stealer. The researchers highlight the evolving tactics of the threat actors that demonstrate the actors’ persistence and sophistication.“The mentioned HTA file contains additionally obfuscated VBScript, which ensures the creation on the computer of a text file with HEX-encoded data (“documenttemp.txt”), a text file with PowerShell code (“temporarydoc.txt”) and a scheduled task (“PdfOpenTask”).” reads the report published by CERT-UA. “The scheduled task “PdfOpenTask” is designed to read and execute PowerShell code, the main functionality of which is to convert HEX-encoded data into bytes, write it to a file with the “.txt” extension (“%PUBLIC%\Downloads\AnimalUpdate.txt”), move it to the EXE file “AnimalUpdate.exe” in the same directory, and create a scheduled task “\AnimalSoft\UpdateAnimalSoftware” to run the latter.This ensures the functioning of the MATCHBOIL loader on the computer (probably to replace LONEPAGE).”MATCHBOIL is a C#-based loader designed to fetch and run additional payloads. It gathers system data (e.g. CPU ID, BIOS serial, username, and MAC address), which is combined and used in HTTP headers during communication with its C2 server. The malware downloads payloads hidden in image-like URIs, decodes them from HEX and BASE64, and saves them as “.com” files. It stores the server address in a local config file and ensures persistence by creating a scheduled task (“DocumentTask”). MATCHBOIL is initially deployed via an HTA file attached to phishing emails, enabling long-term access and control over compromised systems.The malware MATCHWOK used by the threat actor is a C#-based backdoor that executes PowerShell commands by compiling .NET code at runtime, often using a renamed PowerShell executable. Command results are saved to a temp file and sent via HTTPS to a server whose address is read from a local config file. Commands are AES-256 encrypted and hidden in tags on remote pages. Attackers use the MATCHBOIL loader to maintain persistence by creating a registry key. MATCHWOK also includes anti-analysis features, terminating or avoiding execution if tools like IDA, Wireshark, or Procmon are detected on the system.Another malicious code used by UAC-0099 is a DRAGSTARE, a C# stealer that gathers system info, browser data (Chrome, Mozilla), and specific files (.docx, .pdf, etc.) from common folders. It steals login credentials, cookies, and archives found files for exfiltration. It also executes PowerShell commands from its server, evades virtual machines, and ensures persistence via a registry key. Server info is stored encrypted in a config file. It uses flag files to track data theft stages like system info, screenshots, and browser data.The report includes Cyber threat indicators.UAC-0099 threat actor has targeted Ukraine since mid-2022, and it was spotted targeting Ukrainian employees working for companies outside of Ukraine.In May 2023, CERT-UA warned of cyberespionage attacks carried out by UAC-0099 against state organizations and media representatives of Ukraine.In December 2023, UAC-0099 targeted Ukraine by exploiting a high-severity WinRAR flaw CVE-2023-38831 to deliver the LONEPAGE malware.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, UAC-0099)