UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
A Russian-aligned threat actor has been spotted targeting a European financial institution as part of a social engineering attack to facilitate intelligence gathering or money laundering, indicating a possible expansion of the threat actor’s targeting beyond Ukraine and organizations supporting the war-torn country.
The operation, which targeted an unnamed business involved in regional development and reconstruction projects, was attributed to a cybercrime group tracked as UAC-0050 (also known as the DaVinci Group). BlueVoyant has identified the name Mercenary Akula in the threat group. This attack was observed earlier this month.
“This attack compromised a Ukrainian court website to send an email containing a link to a remote payment,” said researchers Patrick McHale and Joshua Green in a report shared with The Hacker News. “The goal was to be a senior legal and policy advisor involved in procurement, a role with special insight into institutional operations and financial practices.”
The starting point is a phishing email that uses legal themes to direct recipients to download an archive file hosted on PixelDrain, a file sharing service used by the threat actor to bypass reputation-based security controls.
ZIP is responsible for initiating a multi-layered infection chain. Inside the ZIP file is a RAR archive containing a password-protected 7-Zip file, which includes an executable that creates a PDF document using a widely exploited extension trick (*.pdf.exe).
The implementation results in the use of MSI’s installer for the Remote Manipulator System (RMS), a Russian remote desktop software that enables remote control, desktop sharing, and file transfer.
“The use of such ‘living off-world’ tools gives attackers persistent, stealthy access while often evading traditional antivirus detection,” the researchers note.
The use of RMS is consistent with the former UAC-0050 modus operandi, with a threat actor known to drop legitimate remote access software such as LiteManager and remote access trojans such as RemcosRAT in attacks targeting Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) identified UAC-0050 as a military group associated with Russian law enforcement agencies conducting data collection, money laundering, and intelligence operations under the Fire Cells brand.
“This attack demonstrates the well-established and repeatable profile of Mercenary Akula, while also providing significant improvements,” BlueVoyant said. “First, their targeting is focused on companies based in Ukraine, especially refugees and financial officials. However, this incident shows the investigation of pro-Ukraine institutions in Western Europe.”
The disclosure comes as Ukraine revealed that Russian cyber attacks targeting the country’s energy infrastructure are increasingly focused on gathering intelligence to guide missile strikes rather than disrupting immediate operations, The Record reported.
Cybersecurity company CrowdStrike, in its annual Global Threat report, said it expects Russia-nexus adversaries to continue aggressive operations aimed at gathering intelligence from targets in Ukraine and NATO member states.
This includes efforts by APT29 (also known as Cozy Bear and Midnight Blizzard) to “systematically” use trust, organizational credibility, and platform legitimacy as part of phishing campaigns targeting US-based non-governmental organizations (NGOs) and US-based legal entities to gain unauthorized Microsoft access to victims’ accounts.
“Cozy Bear has successfully compromised or impersonated targeted users who maintain a trusted professional relationship,” CrowdStrike said. “The impersonators include staff from branches of international NGOs and organizations supporting Ukraine.”
“The adversary has invested heavily in verifying this impersonation, using legitimate email accounts of vulnerable people and hot social media channels to reinforce authenticity.”
