Ukraine's Computer Emergency Response Team (CERT-UA), has warned of a new series of cyberattacks targeting Ukrainian defense enterprises. The attackers are leveraging the theme of Unmanned Aerial Vehicles (UAVs) procurement to lure their victims.
The campaign has been attributed to a threat actor CERT-UA tracks as UAC-0180. The group utilizes various types of malware and may pose as government officials to gain the trust of their targets. UAC-0180’s arsenal includes a variety of malware written in various programming languages such as C (ACROBAIT), Rust (ROSEBLOOM, ROSETHORN), Go (GLUEEGG), Lua (DROPCLUE).
The attack begins with an email containing a ZIP file attachment. This ZIP file includes a PDF document with a link, urging the recipient to follow it to “download missing fonts.”
Upon clicking the link, the victim downloads a file named “adobe_acrobat_fonts_pack.exe,” which is, in reality, malicious software known as GLUEEGG. This software decrypts and runs the loader called DROPCLUE.
DROPCLUE then downloads and opens two files on the victim's computer: a decoy PDF file and an executable file named “font-pack-pdf-windows-64-bit.” Ultimately, this executable file installs a legitimate remote management tool called ATERA. This allows the attackers to gain unauthorized access to the victim's computer.
More technical details as well as Indicators of Compromise (IoCs) related to this campaign can be found in CERT-UA’s advisory.
