Group advanced permanent threat (APT) known as UAC-0063 The use of legitimate documents obtained by penetrating one victim was noted to attack another purpose in order to provide a well -known malicious software called Hatvibe.
“This study focused on the completion of the picture of UAC-0063 operations, in particular, documented by their original attention to Central Asia, orientations to organizations such as embassies in several European countries, including Germany, UK, Netherlands, Romania and Georgia, “Martin Tsugiak, Director of Technical Solutions in Bitdefender, – Note In a report that shared with Hacker News.
UAC-0063 was First specified According to the Romanian cybersecurity campaign in May 2023, in connection with the company aimed at government agencies in Central Asia, using the exaltration data known as Downex (AKA Stilarch). It is suspected to share ties with a well -known Russian state actor called APT28.
Just a few weeks later, the emergency response team in Ukraine (Cert-Ua)-which appointed cluster threat nickname disclosed The fact that the hacking group has been valid at least from 2021, attacking the state bodies in the country with the keys (Logpie), the HTML (Hatvibe), rear -back python (CherrySpy or Downexpyer).
There are reports that UAC-0063 is also aimed at various organizations in Central Asia, East Asia and Europe, according to the recorded Group Insikt Group Future, which has given the Tag -10 threatening actor.
Earlier this month the SEKOIA cybersecurity firm disclosed The fact that he determined the campaign carried out by the crew of the burglary, which participated in the use of documents stolen by the Ministry of Foreign Affairs of the Republic of Kazakhstan, for spear-fisher purposes and delivery of malicious Hatvibe software.
The latest Bitdefender conclusions demonstrate the continuation of such behavior, and the invasion ultimately opens the way for DownEx, DownExpyer and the recently discovered USB exfiltrator CodennderPlug data, at least in one incident aimed at the German company in mid -January.
DownExpyer comes with different opportunities to maintain a permanent connection with a remote server and receipt of data collection, command execution and deployment of additional useful loads. List of tasks obtained from the command and control server (C2), below-
- A3 – EXFILTRATE files that match a particular extension set to C2
- A4 – EXFILTRATE files and logs on C2 and delete them after transfer
- A5 – Complete commands (default function “Systeminfo” is caused to collect the system information)
- A6 – List the file system
- A7 – Take Screenshots
- A11 – Stop another running task
“The sustainability of the basic functional functions of DownExpyer for the last two years is an important indicator of its maturity and probably long-standing in the UAC-0063 arsenal,” Zegek explained. “This observed stability suggests that by 2022 is probably already operating and clarified.”
Bitdefender said he also identified the Python scenario designed to record the key – probably a predecessor for the introduction – on one of the compromised machines infected with Downex, Downexpyer and Hatvibe.
“UAC-0063 illustrates a complex group of threats, characterized by its advanced capabilities and sustainable orientation to state structures,” Tsugiak said.
“Their arsenal, represented by complex implants such as Downexpyer and PypLunderPlug, combined with well -thought -out TTPS, demonstrates accurate attention to spying and intelligence.
