Researchers at Cyble Research and Intelligence Labs (CRIL) have detailed a recent campaign by the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT). This group has a history of targeting Ukrainian entities, including past operations in Finland utilizing the Remcos RAT.

In the latest campaign, UAC-0184 is employing lure documents to distribute the XWorm RAT. The attack starts when a user executes a malicious LNK shortcut file, which triggers a PowerShell script. This script downloads a ZIP file containing both legitimate and malicious Python components, including an encrypted payload.

The infection process involves DLL sideloading and the use of the Shadowloader tool to execute the XWorm RAT as the final payload. Once activated, the XWorm RAT attempts to connect to a command-and-control (C&C) server for remote access activities. However, during CRIL's analysis, the C&C server was inactive, resulting in no observed malicious behavior.

In late May, CRIL observed that UAC-0184 had incorporated Python-related files into their strategy to evade detection. Although the exact initial attack vector remains unclear, it is suspected that the campaign could be conducted through phishing or spam emails containing ZIP attachments. The attack sequence begins with a .lnk file within the ZIP archive. Executing the LNK shortcut initiates a PowerShell script that downloads another ZIP file and a lure document.

This secondary ZIP file contains several components: a legitimate Python executable, a malicious Python DLL, and an encrypted payload binary. The PowerShell script downloads these files and then executes “pythonw.exe” using the start command. This executable duplicates files and stores them in a new folder. The “pythonw.exe” subsequently loads a malicious DLL, “python310.dll,” through DLL sideloading, injecting shellcode into the MSBuild process.

Shadowloader is also used to inject the XWorm RAT into a running process. Once executed, the XWorm RAT provides a range of malicious capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation.