Ukrainian remote workers targeted in new espionage campaign

Researchers have identified a new cyber operation aimed at Ukrainian employees working outside of the country.

The attacks, mostly carried out in August and November of this year, were attributed to a threat actor tracked as UAC-0099, according to a report by cybersecurity company Deep Instinct published this week.

The espionage group has been attacking Ukraine since at least mid-2022. In a previous campaign in June, the hackers sought to spy on Ukrainian government organizations and media, according to Ukraine’s computer emergency response team (CERT-UA).

The group’s tactics are “simple, yet effective,” according to Deep Instinct. In the phishing emails discovered by researchers, the hackers impersonated the city court in the western Ukrainian city of Lviv. The emails contained a file with a court summons that, once opened, executed malicious code that dropped the info-stealing malware called LonePage on the victim’s system.

These malicious emails were sent to the corporate email boxes of Ukrainian employees working remotely for a company outside of Ukraine.

In the attacks, the hackers exploited a high-severity vulnerability tracked as CVE-2023-38831. It’s a bug in the Windows file archiver tool WinRAR, which was abused by state-controlled hackers connected to Russia and China in early 2023 before being patched.

UAC-0099 started to exploit the vulnerability several days after the patch, according to Deep Instinct, showing “the level of sophistication of the attackers.”

The exploitation of this security flaw requires a user to interact with a specially crafted ZIP archive. The vulnerability might lead to high infection rates because the attacks are disguised so well, according to the report.

“Even security-savvy victims can fall for the deception, researchers said. “Expecting to open a benign file, the user will inadvertently execute malicious code.”

Even though the WinRAR vulnerability was fixed earlier this year, it doesn't mean that people are safe from attacks exploiting it.

“WinRAR requires a manual update, meaning that even if a patch is available, many people will likely still have a vulnerable version of WinRAR installed,” researchers said.