Full Report
The UAC-0200 hacking group resurfaces in the cyber threat arena. CERT-UA has recently identified a surge in targeted cyber-attacks both against employees of defense industry enterprises and individual members of the Armed Forces of Ukraine leveraging DarkCrystal RAT (DCRAT). Detect UAC-0200 Attacks Covered in the CERT-UA#14045 Alert Following the latest UAC-0173 attacks leveraging DARKCRYSTAL RAT […] The post UAC-0200 Attack Detection: Cyber-Espionage Activity Targeting Defense Industry Sector and the Armed Forces of Ukraine Using DarkCrystal RAT appeared first on SOC Prime.
Analysis Summary
# Threat Actor: UAC-0200
## Attribution & Identity
The threat actor is identified as **UAC-0200**. The activity described is also associated with Alert **CERT-UA#14045**.
## Activity Summary
UAC-0200 is engaged in cyber-espionage operations. The specific activity detailed involves targeting the Defense Industry Sector and the Armed Forces of Ukraine using the DarkCrystal RAT.
## Tactics, Techniques & Procedures
The following TTPs were observed and are relevant to this actor's operations:
- **Initial Access:**
- Spearphishing Attachment (T1566.001)
- Execution from ZIP Archive [7zip] (via process\_creation)
- Loading/Executing files dropped via Signal Messenger (via file\_event)
- Execution from RAR Archive [WinRAR] (via process\_creation)
- **Execution:**
- User Execution: Malicious File (T1204.002)
- Execution from ZIP Archive [7zip] (via process\_creation)
- Execution from RAR Archive [WinRAR] (via process\_creation)
- **Command and Control (C2):**
- Application Layer Protocol: Web Protocols (T1071.001)
- Suspicious File Download Direct IP (via proxy)
## Targeting
- Sectors: Defense Industry Sector, Armed Forces.
- Geography: Ukraine (Implied based on victims).
- Victims: Armed Forces of Ukraine.
## Tools & Infrastructure
- **Malware families used:** DarkCrystal RAT
- **Infrastructure (C2, domains, IPs):**
- Use of direct IP for suspicious file download via proxy (C2 mechanism). (Specific IPs/Domains are not detailed/defanged in this summary context).
## Implications
UAC-0200 poses a significant threat due to its focus on critical national security interests, specifically the defense industry and military forces within Ukraine. Their use of common archive formats (ZIP/RAR) for initial delivery alongside the sophisticated DarkCrystal RAT suggests a targeted and persistent espionage campaign designed to maintain access to sensitive Ukrainian defense-related information.
## Mitigations
- Implement robust detection rules focusing on the observed initial access vectors, specifically:
- Monitoring for spearphishing attachments.
- Detecting process creation related to execution originating from 7zip or WinRAR archives.
- Deploying enhanced monitoring for file events related to suspicious file drops via Signal Messenger.
- Enhance network visibility to detect C2 communications leveraging Web Protocols (T1071.001) originating from suspicious processes or connections made directly to IP addresses (Direct IP downloads).