Another hacking collective has evolved in the cyber threat arena to target Ukrainian organizations.
CERT-UA notifies defenders about the discovery of fake websites that mimic the official page of the “Army+” application and are hosted using the Cloudflare Workers service.
UAC-0125 group is highly likely associated with the nefarious russia-backed hacking collective tracked as UAC-0002 (aka APT44 aka Sandworm).
The increasing number of cyber attacks targeting government bodies, military and defense agencies and critical infrastructure sector has been causing a stir on the cyber front line since russia’s full-fledged war against Ukraine.
SOC Prime Platform for collective cyber defense equips security teams with a relevant detection stack to proactively thwart attacks covered in the CERT-UA#12559 alert.
UAC-0125 Attack Analysis: Users are prompted to download the executable file “ArmyPlusInstaller-v.0.10.23722.exe” when visiting fake websites.
The executable file runs a PowerShell script to install OpenSSH on compromised system and generate an RSA key pair.
The adversary activity is tracked under the UAC-0125 identifier and is highly likely associated with the russia-linked UAC-0002 cluster (aka Sandworm).
The notorious Sandworm APT group has been targeting Ukrainian state bodies and critical infrastructure organizations for over a decade.
MITRE ATT&CK Context: Security teams can gain valuable insights into the UAC-0125 TTPs involved in the latest malicious campaign against Ukraine.