On December 17, 2024, the Government Computer Emergency Response Team of Ukraine (CERT-UA) was alerted by MIL.CERT-UA specialists about the detection of several malicious web resources impersonating the official website of the "Army+" application. These resources were hosted using the Cloudflare Workers service, demonstrating a sophisticated approach to targeting users with malicious software.
The incident, tracked as UAC-0125, underscores the growing complexity of cyber threats against critical systems and organizations. This cyberattack is believed to be associated with the UAC-0002 cluster, also known as APT44 or Sandworm, a group with a well-documented history of cyber espionage and disruption.
Methodology and Attack Chain
The attackers created fake web pages mimicking the "Army+" application to lure users into downloading a malicious executable file, named variably as ArmyPlusInstaller-v.0.10.23722.exe. This file was crafted using the NSIS (Nullsoft Scriptable Install System) and contained several embedded components:
- Decoy File: A .NET application, ArmyPlus.exe, designed to appear legitimate.
- Python Interpreter Files: Used to execute scripts within the attack payload.
- Tor Program Files: Facilitating anonymous communication.
- PowerShell Script (init.ps1): The core of the malicious activity.
When executed, the installer initiates the following actions:
- Decoy Execution: Launches the legitimate-looking application to avoid suspicion.
- PowerShell Deployment:
- OpenSSH Installation: Installs an SSH server on the victim's system.
- RSA Key Pair Generation: Creates keys for secure connections.
- Key Theft: Sends the private key to a malicious server via curl.
- Tor Service Publication: Sets up a hidden SSH service through the Tor network.
These actions provide attackers with remote and covert access to the victim's machine, enabling further exploitation.
Connection to APT44 and Past Attacks
The attack methodology aligns with previous activities of APT44 (Sandworm), particularly the use of trojanized Microsoft Office files. For instance, earlier in 2024, malicious Office installations (e.g., Office16.iso) contained payloads such as omas-x-none.msp and CommunicatorContentBinApp.cmd, which executed PowerShell commands to compromise systems.
This evolution from Office-based attacks to leveraging decoy applications and advanced distribution methods highlights the adaptability of APT44.
Indicators of Compromise (IOCs)
Organizations should monitor for the following IOCs associated with UAC-0125:
Files
- ArmyPlusInstaller-v.0.10.23672.exe
Hash: 0799756f104a70cb6ce0cfc422de25db - ArmyPlusInstaller-v.0.10.23722.exe
Hash: a27a90a685dad9fc7f1c5962f278f197 - init.ps1
Hash: 52853b39922251a4166a5b032e577e7a - guid.txt
Hash: ed0c7c1925ac23bd8b4d09e77aabb0ee - ArmyPlus.exe (Decoy)
Hash: a2f355057ade20d32afc5c4192ce3986
Malicious Domains
The attackers used subdomains under workers[.]dev, including:
- desktopapluscom.workers[.]dev
- armyplus-desktop.workers[.]dev
- aplusmodgovua.workers[.]dev
Tor Address
- wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad[.]onion
Mitigation Strategies
To counter such threats, CERT-UA recommends:
- User Awareness: Educate users about phishing and decoy applications.
- System Hardening: Limit the installation of unauthorized applications and scripts.
- Network Monitoring: Monitor for connections to suspicious domains and Tor addresses.
- Patch Management: Regularly update software to address vulnerabilities.
- Incident Response: Develop and rehearse a comprehensive incident response plan.
Conclusion
The UAC-0125 cyberattack demonstrates a blend of traditional and advanced techniques, reflecting the persistent threat posed by groups like APT44. Organizations must remain vigilant, adopt proactive cybersecurity measures, and leverage threat intelligence to detect and mitigate such campaigns promptly.
Reference: https://cert.gov.ua/article/6281701
