do son@securityonline.info
//
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.
This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.
References :
- cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
- securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
- SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
- The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
- BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
- bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
Classification:
Arda Büyükkaya@EclecticIQ Blog
//
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.
EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.
References :
- bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
- Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
- EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
- Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
- MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
- securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
- ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
- www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
- ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
– Source: socprime.com
- securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
- socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
- securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.
Classification:
Veronika Telychko@SOC Prime Blog
//
Criminal group UAC-0173 is actively targeting Ukrainian notaries in a series of cyberattacks. These attacks, which have been ongoing since mid-January 2025, involve the use of DARKCRYSTALRAT malware. The cybercriminals are exploiting RDP tools to breach Ukraine's notarial offices, aiming to manipulate state registers. CERT-UA has issued an alert, CERT-UA#13738, regarding these activities.
SOC Prime has released Sigma rules to detect UAC-0173 attacks leveraging DARKCRYSTALRAT malware, providing cybersecurity professionals with tools to identify and mitigate these threats. These attacks by UAC-0173 highlight the ongoing cyber warfare impacting critical infrastructure and organizations within Ukraine.
CERT-UA reports Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices.
References :
- SOC Prime Blog: UAC-0173 Activity Detection: Hackers Launch Phishing Attacks Against Ukrainian Notaries Using the DARKCRYSTALRAT Malware
- thecyberexpress.com: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports
- securityaffairs.com: Criminal group UAC-0173 targets the Notary Office of Ukraine
- The Hacker News: CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Cyble article describing CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Report that a criminal group UAC-0173 targets the Notary Office of Ukraine
Classification:
- HashTags: #UAC0173 #DCRAT #Cyberattack
- Company: CERT-UA
- Target: Ukrainian notaries
- Attacker: UAC-0173
- Product: Notary services
- Feature: Remote access
- Malware: DCRat
- Type: Malware
- Severity: Major
|
|
FlagThis - #ukraine
