Pierluigi Paganini
February 27, 2025
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new campaign by criminal group UAC-0173 targeting Ukrainian notaries with a remote access trojan DCRat (aka DarkCrystal RAT).
The campaign started in mid-January 2025, the attack chain starts with phishing messages claiming to be sent on behalf of territorial divisions of the Ministry of Justice of Ukraine.
The messages include links pointing to an executable file (for example, “HAKA3.exe”, “Order of the Ministry of Justice of February 10, 2025 No. 43613.1-03.exe”, “For your information.exe”) hosted on Cloudflare’s R2 cloud storage service. Upon launching the executable, the systems are infected with the DARKCRYSTAL RAT (DCRAT) malware.
UAC-0173 use RDPWRAPPER and BORE to enable remote access, bypass UAC and scan networks with NMAP. The attackers rely on FIDDLER to intercept the credentials and steal data via XWORM info-stealer. Government experts also abused compromised systems to send malicious emails with SENDEMAIL.
“Having thus provided initial access to the notary’s automated workplace, the attackers take measures to install additional tools, in particular, RDPWRAPPER, which implements the functionality of parallel RDP sessions, which, in combination with the use of the BORE utility, allows you to establish an RDP connection from the Internet directly to the computer.” states the report published by CERT-UA.
“Among other things, the use of programs to bypass the UAC (User Account Control) account control mechanism, the NMAP network scanner, the FIDDLER proxy/sniffer (to intercept authentication data entered in the web interface of state registers), and the XWORM stealer (to steal logins and passwords, including from the clipboard and when entering them using the keyboard) was noted.”
CERT-UA took, with the assistance of the Commission on Informatization, Digital Transformation and Prevention of Cybercrime of the Notary Chamber of Ukraine, provided recommendations to enhance cyber security of potential targets.
CERT-UA, with the NPU Cybersecurity Commission, identified affected computers in six Ukrainian regions, prevented attacks, and provided security settings to notaries.
“Therefore, we consider it appropriate for the State Enterprise “NAIS”, with the assistance of the Cybersecurity Commission of the National Police of Ukraine, and, if necessary, with the involvement of CERT-UA, to take into account the current landscape of cyber threats and provide for compensatory organizational and technical measures, both at the level of notaries’ computers and on the side of state registers. It should be added that the territory of the crime, at least in the context of beneficiaries, is Ukraine, and therefore, the fight against the cyber threat clearly requires the involvement of the resources of law enforcement agencies of Ukraine.” concludes the report that includes Indicators of Compromise (IoCs). “We urge notaries, if suspicious activity is detected, to immediately inform the Notary Chamber of Ukraine and CERT-UA so that they can take response measures.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
