CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country.

The attacks, which leverage phishing emails as an initial compromise vector, are used to deliver malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE.

UAC-0099, first publicly documented by the agency in June 2023, has a history of targeting Ukrainian entities for espionage purposes. Prior attacks have been observed leveraging security flaws in WinRAR software (CVE-2023-38831, CVSS score: 7.8) to propagate a malware called LONEPAGE.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

The latest infection chain involves using email lures related to court summons to entice recipients into clicking on links that are shortened using URL shortening services like Cuttly. These links, which are sent via UKR.NET email addresses, point to a double archive file containing an HTML Application (HTA) file.

The execution of the HTA payload triggers the launch of an obfuscated Visual Basic Script file that, in turn, creates a scheduled task for persistence and ultimately runs a loader named MATCHBOIL, a C#-based program that’s designed to drop additional malware on the host.

This includes a backdoor called MATCHWOK and a stealer named DRAGSTARE. Also written using the C# programming language, MATCHWOK is capable of executing PowerShell commands and passing the results of the execution to a remote server.

DRAGSTARE, on the other hand, is equipped to collect system information, data from web browsers, files matching a specific list of extensions (“.docx”, “.doc”, “.xls”, “.txt”, “.ovpn”, “.rdp”, “.txt”, and “.pdf”) from the “Desktop”, “Documents”, “Downloads” folders, screenshots, and running PowerShell commands received from an attacker-controlled server.

The disclosure comes a little over a month after ESET published a detailed report cataloging Gamaredon’s “relentless” spear-phshing attacks against Ukrainian entities in 2024, detailing its use of six new malware tools that are engineered for stealth, persistence, and lateral movement –

• PteroDespair, a PowerShell reconnaissance tool to collect diagnostic data on previously deployed malware
• PteroTickle, a PowerShell weaponizer that targets Python applications converted into executables on fixed and removable drives to facilitate lateral movement by injecting code that likely serves PteroPSLoad or another PowerShell downloader
• PteroGraphin, a PowerShell tool to establish persistence using Microsoft Excel add-ins and scheduled tasks, as well as create an encrypted communication channel for payload delivery, through the Telegraph API
• PteroStew, a VBScript downloader similar to PteroSand and PteroRisk) that stores its code in alternate data streams associated with benign files on the victim’s system
• PteroQuark, a VBScript downloader introduced as a new component within the VBScript version of the PteroLNK weaponizer
• PteroBox, a PowerShell file stealer resembling PteroPSDoor but exfiltrating stolen files to Dropbox

“Gamaredon’s spearphishing activities significantly intensified during the second half of 2024,” security researcher Zoltán Rusnák said. “Campaigns typically lasted one to five consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or XHTML files employing HTML smuggling techniques.”

The attacks often result in the delivery of malicious HTA or LNK files that execute embedded VBScript downloaders such as PteroSand, along with distributing updated versions of its existing tools like PteroPSDoor, PteroLNK, PteroVDoor, and PteroPSLoad.

Other notable aspects of the Russian-aligned threat actor’s tradecraft include the use of fast-flux DNS techniques and the reliance on legitimate third-party services like Telegram, Telegraph, Codeberg, and Cloudflare tunnels to obfuscate its command-and-control (C2) infrastructure.

“Despite observable capacity limitations and abandoning older tools, Gamaredon remains a significant threat actor due to its continuous innovation, aggressive spearphishing campaigns, and persistent efforts to evade detections,” ESET said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.