EXECUTIVE SUMMARY
The advisory describes a rise in coordinated cyber activity linked to a tracked group referred to as UAC-0247. The activity shows repeated attempts to gain access to systems that support important public functions, which points to a planned campaign rather than random incidents. The attackers focus on targets that are important for daily operations, which increases the potential impact if access is gained. The pattern suggests that the group is working with a clear objective and is selecting targets carefully instead of acting at random. This reflects a broader trend where such activities are becoming more frequent and structured. The report also highlights that the attackers are not limited to a single method of entry. They try different approaches depending on the situation, which improves their chances of success and makes early detection harder. This flexible approach allows them to adjust based on the environment they encounter. The activity shows a steady effort to gain and maintain access over time rather than a one-time attempt.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The advisory describes a rise in coordinated cyber activity linked to a tracked group referred to as UAC-0247. The activity shows repeated attempts to gain access to systems that support important public functions, which points to a planned campaign rather than random incidents. The attackers focus on targets that are important for daily operations, which increases the potential impact if access is gained. The pattern suggests that the group is working with a clear objective and is selecting targets carefully instead of acting at random. This reflects a broader trend where such activities are becoming more frequent and structured. The report also highlights that the attackers are not limited to a single method of entry. They try different approaches depending on the situation, which improves their chances of success and makes early detection harder. This flexible approach allows them to adjust based on the environment they encounter. The activity shows a steady effort to gain and maintain access over time rather than a one-time attempt.[emaillocker id="1283"]
The analysis explains that the attack begins with methods designed to trick users into interacting with harmful content that appears normal. Once the attackers gain initial access, they deploy tools that allow them to control the system from a distance. These tools help them move further within the system and maintain access even if some parts of the activity are removed. This shows that the attack is carried out in multiple stages rather than a single step. The attackers also use methods to hide their actions, making it difficult to detect unusual behavior. They rely on different communication channels to stay connected with affected systems, which allows them to continue their activity without interruption. In some cases, they change their approach based on the system they are targeting, showing that they can adapt when needed. This flexibility increases the effectiveness of the activity and makes it harder to stop.
The advisory highlights that this activity is not a one-time event but part of an ongoing pattern. The repeated focus on important systems shows that the attackers aim to maintain access and possibly use it over time. This kind of activity can lead to disruption or misuse if it is not identified early. The steady nature of the campaign suggests that similar actions may continue, with the attackers trying new ways to improve their success. Another key point is the ability of the attackers to adjust their methods based on what works and what does not. This makes it harder to rely on fixed ways to detect such activity. The campaign also shows that attackers are willing to spend time maintaining their presence once access is gained, which increases the overall risk. Their approach focuses on staying active, avoiding detection, and continuing their operations over time. In summary, the activity reflects a continuous effort where attackers refine their methods and maintain access, making it a persistent concern rather than a short-term issue.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Defense Evasion | T1622 | Debugger Evasion | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1016 | System Network Configuration Discovery | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Lateral Movement | T1021 | Remote Services | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Command and Control | T1572 | Protocol Tunneling | — |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/new-agingfly-malware-used-in-attacks-on-ukraine-govt-hospitals/
https://cert.gov.ua/article/6288271