Full Report
The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia,
Analysis Summary
# Threat Actor: UAC-0063
## Attribution & Identity
* **Primary Designation:** UAC-0063
* **Aliases/Associated Groups:** TAG-110 (assigned by Recorded Future's Insikt Group). Presumed to share links with the Russian state-sponsored actor APT28.
* **First Observed:** Flagged in May 2023 by Bitdefender, but operational since at least 2021 according to CERT-UA.
## Activity Summary
UAC-0063 is an espionage-focused APT group specializing in information gathering and intelligence collection. Recent activities include leveraging legitimate documents stolen from one victim (e.g., Ministry of Foreign Affairs of the Republic of Kazakhstan) to spear-phish and attack subsequent targets. The group has historically focused on Central Asia but has recently expanded its operations to target embassies in several European countries.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Spear-phishing using legitimate documents obtained from prior victims to deliver malware.
* **Persistence/Command & Control:** DownExPyer maintains persistent connections to C2 servers to receive commands, harvest system information, and execute further actions.
* **Data Exfiltration:** Specific C2 commands are used to exfiltrate files matching certain extensions and keystroke logs.
* **Espionage Activities:** Keylogging and screenshot capture capabilities.
* **Techniques (Based on Malware Capabilities):**
* Exfiltrate files matching a specific set of extensions to C2.
* Exfiltrate files and keystroke logs to C2 and delete them after transmission.
* Execute commands (e.g., `systeminfo` function to harvest system information).
* Enumerate the file system.
* Take screenshots.
* Terminating other running tasks.
## Targeting
* **Sectors:** Government entities, foreign service organizations (Embassies).
* **Geography:** Initial focus on Central Asia, expanded to include European countries such as Germany, the UK, the Netherlands, Romania, and Georgia. Ukraine state bodies were also targeted.
* **Victims:** Government entities in Central Asia; Embassies in Europe; organizations in East Asia. A German company was targeted in a mid-January 2023 campaign.
## Tools & Infrastructure
* **Malware Families Used:**
* **HATVIBE:** An HTML Application script loader.
* **DownEx (aka STILLARCH):** Primary data exfiltration malware.
* **DownExPyer (aka CHERRYSPY):** A Python backdoor with extensive remote execution and data collection capabilities.
* **LOGPIE:** A Python script designed to record keystrokes.
* **PyPlunderPlug:** A newly discovered USB data exfiltrator.
* **Infrastructure:** C2 servers are used to issue commands to DownExPyer. (No specific IPs or domains were detailed for defanging in the source article).
## Implications
UAC-0063 is a sophisticated, persistent threat actor demonstrating advanced capabilities focused on intelligence gathering, aligning with potential Russian strategic interests. The sustained stability of core tools like DownExPyer suggests a mature and long-standing espionage operation. Their expansion into high-value European diplomatic targets signifies increased threat scope.
## Mitigations
* Heightened monitoring for initial access vectors involving spear-phishing utilizing legitimate-sounding or internal documents.
* Implement rigorous endpoint detection and response (EDR) capable of detecting the capabilities associated with data exfiltration, keylogging, and command execution performed by implants like DownExPyer.
* Monitor for unusual data transfer activity consistent with data exfiltration paths (e.g., staging of files before transfer to C2).
* Be particularly vigilant regarding the presence of multi-stage implants (HATVIBE, DownEx, DownExPyer) on networks, especially within governmental and diplomatic sectors.