Full Report
Following the investigation into UAC-0212’s increasing activity against multiple organizations in Ukraine’s critical infrastructure sector, CERT-UA notifies the global cyber defender community of the reemergence of another hacking group in the Ukrainian cyber threat arena. The organized criminal group tracked as UAC-0173 has been conducting a series of phishing attacks against notaries impersonating the sender […] The post UAC-0173 Activity Detection: Hackers Launch Phishing Attacks Against Ukrainian Notaries Using the DARKCRYSTALRAT Malware appeared first on SOC Prime.
Analysis Summary
# Incident Report: UAC-0173 Phishing Attack Against Ukrainian Notaries Using DARKCRYSTALRAT
## Executive Summary
The financially motivated hacking group UAC-0173 launched a series of sophisticated phishing campaigns targeting notaries in Ukraine, impersonating the Ministry of Justice. The primary goal was to establish covert remote access via the DARKCRYSTALRAT (DCRAT) malware to ultimately gain unauthorized access to and modify state registries. The incident was detected and thwarted by CERT-UA and partners before significant unauthorized actions could be finalized.
## Incident Details
- Discovery Date: February 26, 2025 (Date of CERT-UA alert publication, indicative of ongoing activity)
- Incident Date: Active attacks observed around February 11, 2025 (start of the newest phishing wave)
- Affected Organization: Notary workstations across Ukraine (multiple regions)
- Sector: Legal/Judicial Support (Notaries)
- Geography: Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** February 11, 2025 (Phishing emails sent)
- **Vector:** Email Phishing
- **Details:** Attackers sent phishing emails masquerading as the territorial branch of the Ministry of Justice of Ukraine. These emails contained links to download executable files.
### Lateral Movement
- **Date/Time:** Post-initial infection
- **Vector:** Remote Desktop Protocol (RDP) setup and internal scanning.
- **Details:** After initial access with DCRAT, attackers installed RDPWRAPPER to enable parallel RDP sessions. They used this, along with the BORE utility, to establish direct RDP connections from the internet to the compromised workstations. They also used NMAP for network discovery.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing post-compromise
- **Vector:** Credential theft and data collection leading to unauthorized registry modification.
- **Details:** The primary objective was to prepare for unauthorized changes to state registries. Attackers used the FIDDLER proxy/sniffer to capture authentication data entered on state registry web interfaces, and the XWORM keylogger for broader credential theft.
### Detection & Response
- **Date/Time:** Throughout the campaign, prompt action following the February 11th wave, culminating in the February 25th alert.
- **Details:** CERT-UA, working with partners, implemented cybersecurity measures to rapidly identify infected computers in six regions. They successfully thwarted the final stages of the unauthorized notarial actions.
## Attack Methodology
- **Initial Access:** Phishing emails delivering executable files leading to DARKCRYSTALRAT (DCRAT) malware installation.
- **Persistence:** Implied via RAT installation, potentially using auto-start locations (MITRE T1547.001).
- **Privilege Escalation:** Implied through the use of detection evasion utilities to bypass User Account Control (UAC).
- **Defense Evasion:** Use of detection evasion utilities, process injection (Process Hollowing T1055.012), hiding artifacts, and disabling security tooling (e.g., disabling Windows Defender Realtime Monitoring T1562.001).
- **Credential Access:** Deployment of XWORM keylogger and FIDDLER proxy/sniffer to capture credentials entered on web interfaces.
- **Discovery:** Use of NMAP network scanner (T1046).
- **Lateral Movement:** Establishing remote access via RDP enabled by RDPWRAPPER and BORE utility, allowing RDP connections directly from the Internet.
- **Collection:** Keylogging and sniffing network traffic containing authentication data.
- **Exfiltration:** Preparation for unauthorized actions on state registries.
- **Impact:** Attempted unauthorized modification of state registries leading to potential fraud or data corruption.
## Impact Assessment
- **Financial:** Not quantified, but associated with financially motivated threat group UAC-0173.
- **Data Breach:** Authentication credentials for state registry web interfaces were targeted, and potentially collected. The scope of successful data extraction is not fully detailed.
- **Operational:** Potential for disruption and compromise of notary workflows and state registry integrity.
- **Reputational:** Damage to public trust in the security of official digital services accessed by notaries.
## Indicators of Compromise
*(Note: Based on the context, specific IOCs are not provided in the text in a defanged format, but the techniques suggest the following categories)*
- **Network indicators:** NMAP scanning activity, outbound connections associated with DCRAT C2, RDP connections established via BORE/RDPWRAPPER from external sources.
- **File indicators:** Deployment of DCRAT installer executables, RDPWRAPPER components, FIDDLER, XWORM, and SENDEMAIL utilities.
- **Behavioral indicators:** PowerShell executing obfuscated commands, suspicious MSBuild activity, execution from Public User Profile, process mimicking Svchost.
## Response Actions
- **Containment measures:** Rapid identification of infected computers across six regions.
- **Eradication steps:** Not explicitly detailed, but implied through the immediate countermeasures described.
- **Recovery actions:** Thwarting the attackers’ intentions even at the final stages of unauthorized notarial actions (preventing the successful realization of the objective).
## Lessons Learned
- Phishing remains the dominant initial access vector (over 80% of security events).
- Threat actors are actively targeting specific high-value, low-IT-security targets like notaries to access critical infrastructure backend systems (state registries).
- Sophisticated malware like DARKCRYSTALRAT is being paired with access tools (RDPWRAPPER, BORE) to establish robust, internet-facing remote control.
## Recommendations
- Implement enhanced email filtering solutions capable of detecting sophisticated impersonation and malicious attachments linked to known threat actors like UAC-0173.
- Mandate multi-factor authentication (MFA) for all access to state registry portals, regardless of source IP.
- Deploy advanced endpoint detection and response (EDR) solutions capable of detecting evasion techniques (e.g., UAC bypass, process hollowing, disabling Defender).
- Regularly audit RDP configurations and prohibit direct RDP exposure to the internet, especially on workstations handling sensitive data.
- Conduct targeted security awareness training for notaries focusing on social engineering tactics used by state-level governmental impersonators.