Ukrainian Authorities Warn of Surge in Targeted Cyberattacks on Government and Healthcare by UAC-0247

A significant surge in cyberattacks has been detected targeting Ukrainian local governments and municipal healthcare institutions, particularly clinical and ambulance hospitals. CERT-UA attributes this campaign to threat cluster UAC-0247, known for deploying advanced data theft, persistence, and lateral movement techniques.

Attack Methods: From Phishing to Payload Delivery

The attack sequence begins with sophisticated phishing emails masquerading as humanitarian aid proposals. These emails contain malicious links that redirect to compromised websites. Threat actors employ two primary strategies:

  • Fake nonprofit websites created using artificial intelligence
  • Exploitation of legitimate sites via Cross-Site Scripting (XSS) to deliver malicious payloads

When victims click the link, they download an archive containing a shortcut (.LNK) file. Opening this file triggers mshta.exe, which executes a script that retrieves remote content while displaying decoy forms. A scheduled task silently deploys an executable payload in the background.

Techniques: Encrypted Reverse Shells and AGINGFLY RAT

The attack utilizes a sophisticated two-stage loader. The second stage employs a proprietary executable format supporting custom code sections, dynamic imports, and relocation. The final compressed payload deploys a TCP reverse shell called RAVENSHELL, which connects back to the attackers’ command server.

RAVENSHELL encrypts traffic using a 9-byte XOR key and sends an initial “Connected!” message before executing commands via Windows Command Processor (CMD). Once established, the malware deploys AGINGFLY, a C#-based Remote Access Trojan (RAT) offering:

  • Command execution
  • File transfer capabilities
  • Screenshot capture
  • Keylogging
  • Arbitrary code execution over encrypted WebSocket communication

A unique feature of AGINGFLY is its dynamic command system – handlers are downloaded as source code and compiled at runtime. Additionally, a PowerShell script named SILENTLOOP manages Command & Control (C2) communication through Telegram channels, ensuring connectivity even if primary infrastructure fails.

Data Exfiltration and Persistence Methods

For data theft, attackers deploy two specialized tools:

  • CHROMELEVATOR: Extracts stored browser credentials and cookies
  • ZAPIXDESK: Exfiltrates WhatsApp data from desktop applications

Post-breach, attackers conduct reconnaissance and lateral movement using custom subnet scanners and public tools like RUSTSCAN, with tunneling via CHISEL and LIGOLO-NG. In one incident, investigators discovered an XMRIG cryptocurrency miner running as a DLL, stealthily loaded through a modified WIREGUARD VPN client.

CERT-UA Security Recommendations

CERT-UA advises organizations to implement the following mitigations against UAC-0247:

  • Block execution of LNK, HTA, and JS files
  • Restrict scripting utilities (mshta.exe, powershell.exe, wscript.exe)
  • Monitor for suspicious scheduled task creation
  • Implement application control policies for uncommon executable formats

These controls significantly reduce exposure to the evolving threat landscape, as UAC-0247 remains an active and persistent threat targeting critical Ukrainian infrastructure.

Related Articles

Back to top button