Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173 that involves infecting computers with a remote access trojan named DCRat (aka DarkCrystal RAT). The Ukrainian cybersecurity authority said it observed the latest attack wave starting in mid-January 2025. The activity is designed to target the
Analysis Summary
# Incident Report: UAC-0173 Campaign Targets Ukrainian Notaries with DCRat
## Executive Summary
CERT-UA issued a warning regarding renewed activity by the UAC-0173 threat group, targeting Notaries in Ukraine starting in mid-January 2025. The attack utilized phishing emails masquerading as official communications from the Ministry of Justice to deploy the DCRat remote access Trojan. The compromise resulted in the installation of tools to enable persistent remote access (RDPWRAPPER) and data exfiltration (XWorm), significantly impacting the targeted organizations' security posture.
## Incident Details
- **Discovery Date:** Tuesday (Prior to CERT-UA warning, referencing activity observed starting mid-January 2025)
- **Incident Date:** Mid-January 2025
- **Affected Organization:** Notaries of Ukraine
- **Sector:** Government / Legal Services
- **Geography:** Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-January 2025
- **Vector:** Phishing Emails
- **Details:** Attackers sent emails claiming to be from the Ministry of Justice of Ukraine, instructing recipients to download an executable file. The malicious binary payload was hosted on Cloudflare's R2 cloud storage service.
### Lateral Movement
- **Details:** Upon gaining initial access, the attackers installed supplementary tools, including **RDPWRAPPER** to enable parallel Remote Desktop Protocol (RDP) sessions, using the **BORE** utility to facilitate direct RDP connections from the internet. Attackers also used **NMAP** for internal network scanning.
### Data Exfiltration/Impact
- **Details:** Attackers used the **XWorm** malware to steal sensitive data, specifically targeting credentials and clipboard content. They also deployed **FIDDLER** to intercept authentication data entered into the web interfaces of state registers. Compromised systems were subsequently used to send out further malicious emails using the **SENDMAIL** console utility for propagation.
### Detection & Response
- **Details:** The activity was detected and reported by the Computer Emergency Response Team of Ukraine (CERT-UA). (Specific containment/eradication details were not provided in the description, only the warning/disclosure.)
## Attack Methodology
- **Initial Access:** Spear-phishing via email containing a malicious executable disguised as an official document.
- **Persistence:** Installation of RDPWRAPPER to maintain remote connectivity via RDP.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved through the execution of the initial payload.
- **Defense Evasion:** Use of an established cloud storage service (Cloudflare R2) to host the malware.
- **Credential Access:** Use of XWorm (stealing clipboard content/credentials) and FIDDLER (intercepting authentication data from web interfaces).
- **Discovery:** Use of NMAP for network scanning.
- **Lateral Movement:** Established RDP channels via BORE and RDPWRAPPER.
- **Collection:** FIDDLER and XWorm used to gather authentication data, credentials, and clipboard data.
- **Exfiltration:** Not explicitly detailed, but facilitated by persistent remote access via DCRat.
- **Impact:** Installation of surveillance and remote control malware (DCRat), data theft, and potential misuse of compromised systems for further attacks (email sending).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Credentials, authentication data from state registers, and clipboard content stolen.
- **Operational:** Disruption to the workflow of Notaries due to compromise of their automated workplaces.
- **Reputational:** Potential erosion of public trust concerning the security of state register data.
## Indicators of Compromise
- **Network indicators:** Use of Cloudflare R2 for hosting binaries. (Specific URLs/IPs redacted for security).
- **File indicators:** DCRat (DarkCrystal RAT), RDPWRAPPER, BORE utility, FIDDLER, NMAP, XWorm, SENDMAIL.
- **Behavioral indicators:** Deployment of persistence mechanisms via RDP wrapper, interception of authentication input via web interface monitoring.
## Response Actions
*(Note: The provided article focuses on the warning/detection, not the remediation steps taken by the victims. General assumed steps are listed.)*
- **Containment measures:** Identified and potentially blocked network connections related to DCRat command and control servers.
- **Eradication steps:** Removal of DCRat, RDPWRAPPER, BORE, FIDDLER, NMAP, XWorm, and SENDMAIL from affected systems.
- **Recovery actions:** Resetting of all compromised credentials and restoration of system integrity.
## Lessons Learned
- **Key takeaways:** Criminal groups, such as UAC-0173, continue to aggressively target critical public sectors (like notary services) using commercially available tools (DCRat) combined with bespoke access mechanisms (RDP setup). Reliance on official-looking communications remains a highly effective initial access vector.
- **What could have been done better:** Improved email filtering capabilities to catch attachments disguised as official ministry documents and stricter endpoint protection against unauthorized RDP modification tools (RDPWRAPPER).
## Recommendations
- **Prevention measures for similar incidents:** Implement mandatory security training focusing on identifying phishing lures involving government agencies. Deploy robust endpoint detection and response (EDR) solutions to detect unauthorized installation of utilities like RDPWRAPPER and BORE. Apply network segmentation to isolate critical data access points (like state register web interfaces).