The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. The attacks, which leverage phishing emails as an initial compromise vector, are used to deliver malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE. UAC-0099, first publicly documented by the agency in June 2023, has a history of targeting Ukrainian entities for espionage purposes. Prior attacks have been observed leveraging security flaws in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to propagate a malware called LONEPAGE. The latest infection chain involves using email lures related to court summons to entice recipients into clicking on links that are shortened using URL shortening services like Cuttly. These links, which are sent via UKR.NET email addresses, point to a double archive file containing an HTML Application (HTA) file. The execution of the HTA payload triggers the launch of an obfuscated Visual Basic Script file that, in turn, creates a scheduled task for persistence and ultimately runs a loader named MATCHBOIL, a C#-based program that's designed to drop additional malware on the host. This includes a backdoor called MATCHWOK and a stealer named DRAGSTARE. Also written using the C# programming language, MATCHWOK is capable of executing PowerShell commands and passing the results of the execution to a…Read More