CERT-UA alerts about malware attacks delivered through HTA files, utilizing court summons as bait.

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding cyber attacks conducted by a threat actor known as UAC-0099. This group is targeting government agencies, defence forces, and enterprises within the defence-industrial complex in Ukraine. The attacks primarily utilise phishing emails as an initial compromise vector, delivering various malware families, including MATCHBOIL, MATCHWOK, and DRAGSTARE. UAC-0099, which was first documented by CERT-UA in June 2023, has a history of conducting espionage against Ukrainian entities. Previous attacks have exploited security vulnerabilities in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to distribute a malware variant called LONEPAGE. The latest infection chain employs email lures related to court summons, enticing recipients to click on shortened links that lead to a double archive file containing an HTML Application (HTA) file.

Upon execution of the HTA payload, an obfuscated Visual Basic Script file is launched, which creates a scheduled task for persistence and ultimately executes a loader named MATCHBOIL. This C#-based program is designed to drop additional malware onto the host system, including a backdoor called MATCHWOK and a data stealer named DRAGSTARE. MATCHWOK can execute PowerShell commands and relay the results to a remote server. In contrast, DRAGSTARE is capable of gathering system information, extracting data from web browsers, and collecting files with specific extensions from designated folders. This disclosure follows a recent report by ESET, which detailed Gamaredon’s ongoing spear-phishing attacks against Ukrainian entities in 2024, highlighting the use of six new malware tools engineered for stealth, persistence, and lateral movement.