The Cyber Incident Response Team CERT-UA has detected new threats related to cyber attacks on government agencies and companies in the defense sector.

According to the State Special Communications Service, the UAC-0099 group has significantly upgraded its tools, introducing new malware programs MATCHBOIL, MATCHWOK, and DRAGSTARE. The attackers implement a complex attack scheme aimed at data theft and gaining control over computers.

The attack begins with phishing emails disguised as official documents, such as "court summons." These emails contain links to legitimate file-sharing services. Clicking on the link initiates the download of a ZIP archive containing a malicious HTA file. This is the first stage of the attack.

Launching the HTA file activates a VBScript that creates two files on the victim's computer: one with HEX code and the other with PowerShell code. A scheduled task is created to execute this code. The next step involves a PowerShell script decoding the data and forming an executable MATCHBOIL loader that is embedded in the system via a scheduled task.

The primary targets of this group are government authorities in Ukraine, defense forces, and companies in the defense industry.

CERT-UA's research has uncovered three new samples of malware, indicating the evolution of the group's tactics.

MATCHBOIL (Downloader) aims to deliver the main malicious payload to the infected computer. It collects basic information about the system to identify the victim on the command server, after which it downloads the next component of the attack.

MATCHWOK (Backdoor) allows remote execution of arbitrary PowerShell commands on the compromised system, using encrypted commands executed through a renamed PowerShell interpreter.

DRAGSTARE (Stealer) performs comprehensive data collection, including system information, browser data, and files with specific extensions, which are archived and sent to the attackers' server.

Recommendations from CERT-UA:

  • Ensure control over incoming emails and train employees to identify phishing attacks.
  • Limit script execution and set security policies.
  • Implement endpoint monitoring to detect suspicious activity.
  • Protect the network perimeter using intrusion detection systems.
  • Regularly update software to safeguard against vulnerabilities.

6964 image for slide
zoom Created with Sketch Beta.