APT GROUP UAC-0099 TARGETS UKRAINE EXPLOITING A WINRAR FLAW

The threat actor UAC-0099 is exploiting a flaw in the WinRAR to deliver LONEPAGE malware in attacks against Ukraine.
威胁行为者 UAC-0099 正在利用 WinRAR 中的缺陷在对乌克兰的攻击中提供 LONEPAGE 恶意软件。

A threat actor, tracked as UAC-0099, continues to target Ukraine. In some attacks, the APT group exploited a high-severity WinRAR flaw CVE-2023-38831 to deliver the LONEPAGE malware.
一个被追踪为 UAC-0099 的威胁行为者继续以乌克兰为目标。在某些攻击中，APT 组织利用高严重性 WinRAR 缺陷 CVE-2023-38831 来传播 LONEPAGE 恶意软件。

UAC-0099 threat actor has targeted Ukraine since mid-2022, it was spotted targeting Ukrainian employees working for companies outside of Ukraine.
UAC-0099 威胁行为者自 2022 年年中以来一直以乌克兰为目标，它被发现针对在乌克兰境外公司工作的乌克兰员工。

In May 2023, CERT-UA warned of cyberespionage attacks carried out by UAC-0099 against state organizations and media representatives of Ukraine
2023 年 5 月，CERT-UA 警告 UAC-0099 对乌克兰国家组织和媒体代表进行网络间谍攻击

Since the CERT-UA publication in May, Deep Instinct has identified new attacks carried out by “UAC-0099” against Ukrainian targets.
自 5 月发布 CERT-UA 以来，Deep Instinct 已经确定了“UAC-0099”对乌克兰目标进行的新攻击。

In early August, the group UAC-0099 sent an email impersonating the Lviv city court using the ukr.net email service.
8月初，UAC-0099组织使用 ukr.net 电子邮件服务发送了一封冒充利沃夫市法院的电子邮件。

The group used different different infection vectors, the researchers detailed phishing attacks using HTA, RAR, and LNK file attachments. The last-stage malware is the Visual Basic Script (VBS) malware LONEPAGE.
该小组使用了不同的感染媒介，研究人员详细介绍了使用 HTA、RAR 和 LNK 文件附件的网络钓鱼攻击。最后阶段的恶意软件是 Visual Basic 脚本 （VBS） 恶意软件 LONEPAGE。

The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of the Visual Basic Script (VBS) malware LONEPAGE. The malicious code can retrieve additional payloads, including keyloggers and info-stealers.
攻击链利用包含 HTA、RAR 和 LNK 文件附件的网络钓鱼消息，导致部署了 Visual Basic 脚本 （VBS） 恶意软件 LONEPAGE。恶意代码可以检索其他有效负载，包括键盘记录器和信息窃取程序。

Deep Instinct reported that the group UAC-0099 exploited the WinRAR flaw CVE-2023-38831, a POC for the issue is available on GitHub. The WinRAR version 6.23 which was released on August 2, 2023, addressed the vulnerability.
Deep Instinct 报告称，该组织 UAC-0099 利用了 WinRAR 漏洞 CVE-2023-38831，GitHub 上提供了该问题的 POC。2023 年 8 月 2 日发布的 WinRAR 6.23 版本解决了该漏洞。

“the attacker creates an archive with a benign filename with a space after the file extension — for example, “poc.pdf .” The archive includes a folder with the same name, including the space (something that is not possible under normal conditions, since the operating system does not allow the creation of a file with the same name). The folder includes an additional file with the same name as the benign file, including a space, followed by a “.cmd” extension.” reads the report published by Deep Instinct. “When a user opens a ZIP file containing these files in an unpatched version of WinRAR and double-clicks on the benign file, the file with the “cmd” extension is executed instead.”
“攻击者创建一个具有良性文件名的存档，文件扩展名后有一个空格 – 例如，”poc.pdf ”。存档包括一个同名的文件夹，包括空间（这在正常情况下是不可能的，因为操作系统不允许创建同名的文件）。该文件夹包括一个与良性文件同名的附加文件，包括一个空格，后跟一个“.cmd”扩展名。“当用户在未修补的WinRAR版本中打开包含这些文件的ZIP文件并双击良性文件时，带有”cmd“扩展名的文件将被执行。

The researchers pointed out that this attack technique can also deceive security-savvy victims.
研究人员指出，这种攻击技术还可以欺骗精通安全的受害者。

You can find a POC for the vulnerability in GitHub. A patched WinRAR (version 6.23) was released on August 2, 2023.
您可以在 GitHub 中找到该漏洞的 POC。2023 年 8 月 2 日发布了修补的 WinRAR（版本 6.23）。

“The tactics used by “UAC-0099” are simple, yet effective. Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file.” concludes the report. “The WinRAR exploitation is an interesting choice. Some people don’t update their software in a timely fashion, even with automatic updates. WinRAR requires a manual update, meaning that even if a patch is available, many people will likely still have a vulnerable version of WinRAR installed.”
“”UAC-0099“使用的策略简单而有效。尽管初始感染媒介不同，但核心感染是相同的——它们依赖于 PowerShell 和创建执行 VBS 文件的计划任务。“WinRAR的开发是一个有趣的选择。有些人不会及时更新他们的软件，即使有自动更新。WinRAR 需要手动更新，这意味着即使有可用的补丁，许多人可能仍然安装了易受攻击的 WinRAR 版本。

始发于Pierluigi Paganini：APT GROUP UAC-0099 TARGETS UKRAINE EXPLOITING A WINRAR FLAW