UAC-0142 APT targets Ukraine’s Delta military intelligence program

Ukraine’s CERT-UA revealed the national Delta military intelligence program has been targeted with a malware-based attack.

On December 17, 2022, the Center for Innovations and Development of Defense Technologies of the Ministry of Defense of Ukraine informed the Government Computer Emergency Response Team of Ukraine (CERT-UA) of being targeted by a malware-based attack.

The spear phishing messages were sent from a compromised e-mail address belonging to an employee of the Ministry of Defense, as well as messengers. The message urges the recipient to update certificates in the “DELTA” system, it also uses an attached PDF document that imitates legitimate digests of the ISTAR unit of the Zaporizhzhia Police Department.

“The Delta is a system for collecting, processing and displaying information about enemy forces, coordinating of defense forces, as well as providing situational awareness according to NATO standards, developed by the Center for Innovation and Development of Defense Technologies of the Ministry of Defense of Ukraine.” states the Ukrainian military.

According to CERT-UA, the document contains a link to a malicious ZIP archive (“certificates_rootca.zip”) that is hosted on a bogus Delta domain.

Upon executing an executable “certificates_rootCA.exe” included in the archive, it will install two malware onto the compromised systems; the info-stealing malware FateGrab used to steal sensitive data (emails, databases, scripts and documents) and the StealDeal malware which steals Internet browser data.

These files are designed to deploy two pieces of malware onto compromised systems, including one named FateGrab, which harvests emails, databases, scripts and documents, and one called StealDeal, which collects internet browser data and more.

“If you follow the link, the “certificates_rootca.zip” archive containing the “certificates_rootCA.exe” executable file protected by VMProtect will be downloaded to your computer (the file was compiled and digitally signed on 12/15/2022).” reads the advisory published by the CERT-UA.

“After running the EXE file, several DLL files, also protected by VMProtect, and an “ais.exe” file simulating the certificate installation process will be created on the PC. Later, two malicious programs will be launched on the victim’s computer:” reads the alert published by CERT-UA. “FateGrab (“FileInfo.dll”; “ftp_file_graber.dll”), the functionality of which involves stealing files with extensions: ‘.txt’, ‘.rtf’, ‘. xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘. doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email’ with their subsequent exfiltration via FTP, and StealDeal (“procsys.dll”; “StealDll.dll”) , designed, among other things, to steal Internet browser data.”

The Ukrainian authorities attribute the attack to the threat actor tracked as UAC-0142.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Delta military intelligence)

[adrotate banner=”5″]

[adrotate banner=”13″]