UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware

A Russian-affiliated threat actor has been seen launching a social engineering attack against a European financial institution in an attempt to obtain intelligence or steal money, which suggests that the threat actor may be extending its reach beyond Ukraine to include organizations that aid the war-torn country This article explores revelation russian cyberattacks. . Targeting an unidentified organization engaged in regional development and reconstruction projects, the activity has been linked to a cybercrime organization known as UAC-0050 (also known as the DaVinci Group).

Mercenary Akula is the name that BlueVoyant has assigned to the threat cluster. Earlier this month, the attack was noticed. The first step is a spear-phishing email that instructs recipients to download an archive file hosted on PixelDrain, a file-sharing platform that the threat actor uses to get around reputation-based security measures, using legal themes.

A multi-layered infection chain is started by the ZIP. The ZIP file contains a RAR archive that holds a password-protected 7-Zip file with an executable that uses the frequently exploited double extension trick (*.pdf.exe) to look like a PDF document. An MSI installer for the Remote Manipulator System (RMS), a Russian remote desktop program that enables file transfers, desktop sharing, and remote control, is deployed as a result of the execution.

"The use of such 'living-off-the-land' tools provides attackers with persistent, stealthy access while often evading traditional antivirus detection," the researchers observed.

RMS use is consistent with previous UAC-0050 tactics, as the threat actor has been known to use remote access trojans like RemcosRAT and legitimate remote access software like LiteManager in attacks against Ukraine. According to the Computer Emergency Response Team of Ukraine (CERT-UA), UAC-0050 is a mercenary group connected to Russian law enforcement that uses the Fire Cells brand to carry out information and psychological operations, financial theft, and data collection. BlueVoyant stated, "This attack offers a notable development, while also reflecting Mercenary Akula's well-established and repetitive attack profile."

"First, they have mainly targeted organizations with headquarters in Ukraine, particularly accountants and financial officers.

This incident, however, raises the possibility of investigating Western European organizations that support Ukraine.The revelation coincides with Ukraine's revelation that Russian cyberattacks targeting the nation's energy infrastructure are increasingly concentrated on gathering intelligence to direct missile strikes rather than instantly interfering with operations, according to The Record. In its yearly Global Threat Report, cybersecurity firm CrowdStrike stated that it anticipates Russia-affiliated adversaries to keep up their aggressive operations aimed at obtaining intelligence from NATO members and Ukrainian targets. As part of spear-phishing campaigns aimed at U.S.-based non-governmental organizations (NGOs) and a U.S.-based legal entity, APT29 (also known as Cozy Bear and Midnight Blizzard) attempted to "systematically" exploit trust, organizational credibility, and platform legitimacy in order to obtain unauthorized access to the victims' Microsoft accounts.

According to CrowdStrike, "Cozy Bear successfully compromised or impersonated individuals with whom targeted users maintained trusting professional relationships." Employees of pro-Ukraine groups and branches of international NGOs were among the impersonated individuals. "The adversary made significant investments to validate these impersonations, utilizing burner communication channels and compromised individuals' authentic email accounts to bolster authenticity."