Introduction
The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has identified renewed cyber activity from the criminal group UAC-0173 since mid-January 2025. This group, which operates for financial gain, has been executing targeted attacks against notary offices in Ukraine. Their primary objective is to gain unauthorized remote access to notaries’ systems, allowing them to manipulate state registers, CERT-UA said.
Attack Vector and Execution
Starting in late January 2025, UAC-0173 intensified its phishing campaigns. On February 11, attackers distributed malicious emails impersonating the Ministry of Justice of Ukraine. These emails contained links to executable files, such as:
- HAKA3.exe
- Order of the Ministry of Justice of February 10, 2025 No. 43613.1-03.exe
- For your information.exe
Executing these files infects the system with DARKCRYSTALRAT (DCRAT), granting attackers initial access to the compromised machine.
Tactics, Techniques, and Procedures (TTPs)
Upon initial infection, UAC-0173 deploys additional tools to establish deeper control over the compromised system:
- Remote Desktop Protocol (RDP) Exploitation: The attackers install RDPWRAPPER, which enables parallel RDP sessions. This, combined with BORE, allows direct RDP access from the Internet.
- Privilege Escalation: Attackers bypass User Account Control (UAC) mechanisms to escalate their privileges.
- Network Scanning & Credential Theft:
- NMAP is used to scan network assets.
- FIDDLER intercepts authentication credentials entered into web-based state registers.
- XWORM Stealer extracts stored passwords and clipboard data.
- Malicious Email Distribution:
- The attackers use compromised machines to send further phishing emails via the SENDEMAIL utility.
CERT-UA, in collaboration with the Notarial Chamber of Ukraine’s Cybersecurity Commission, has detected and mitigated attacks across six regions, preventing unauthorized modifications in state registers.
Indicators of Compromise (IOCs)
Malicious Files
| File Name | SHA-256 Hash |
| HAKA3.exe | a6b692e0ed3d5cd6fd20820dd06608ac7120b8beef9967442ab23dd5b7d7d7c27 |
| bore.exe (BORE) | 89b5837e2772041a6ed63e78c08426d4884e86732f0c0ccb7d802a4fd6f08d70 |
| Client.exe (DCRAT) | e9cedc98677b6b5146b14009ced7d6243788802d0823e330707ee80bb96ef29e |
| xupwork3.exe | 2bcb9aa0b04299c1c902f5f2ff4034f7f9d5f5b0b924a4ba903fdef291bfe8ea |
| ft89.exe (XWORM) | cd53f35297016fe68fa60ddaa57402ac6f37d60bd918ae4733abeffa98457409 |
| svhost.exe | 539d8bf192341c87f345790f3c2887b88ee10f65476a211ee82a7e06319bc48af |
Network Indicators
| Malicious Domains & IPs | Description |
| hxxp://193[.]233.48.166/ | Malicious file distribution |
| hxxp://91[.]92.246.18/upl/t1.exe | Malware payload |
| hxxps://87[.]120.126.48/not | Phishing infrastructure |
| 89[.]105.201.98 | Command-and-Control (C2) |
Persistence Mechanisms
| Path | Description |
| %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | Auto-start persistence |
| %LOCALAPPDATA%\install.bat | Malicious batch script execution |
| %PROGRAMFILES%\RDP Wrapper\rdpwrap.dll | RDP backdoor installation |
Malicious URLs
- hxxp://193[.]233.48.166/Downloads/notu.lnk
- hxxp://91[.]92.246.18/upl/t1.exe
- hxxps://194[.]0.234.155/for your information.exe
- hxxps://87[.]120.126.48/notUa[.]exe
- hxxps://i.ibb[.]co/30kphkk/tymon-in-coffee-final.webp
NOTE: For a complete set of IoCs, please refer to the CERT-UA blog link at the bottom of the article.
Mitigation and Recommendations
Given the scale and persistence of this attack campaign, Ukrainian notary offices and other potential targets must take immediate action:
- Patch & Update:
- Ensure all systems are up to date with security patches.
- Disable RDP where not required.
- Enhance Email Security:
- Enable anti-phishing and email filtering mechanisms.
- Educate employees on identifying phishing emails.
- Restrict Administrative Privileges:
- Implement the principle of least privilege (PoLP).
- Enable User Account Control (UAC) and restrict the execution of unknown applications.
- Network Monitoring & Threat Hunting:
- Regularly monitor for suspicious network traffic.
- Block IOCs at firewall and endpoint security solutions.
- Incident Response Preparedness:
- Establish a rapid incident response plan.
- Work closely with CERT-UA for threat intelligence sharing.
Conclusion
The resurgence of UAC-0173’s cyber activities shows the growing threat landscape targeting Ukrainian government institutions. CERT-UA’s swift mitigation efforts of real-time threat monitoring and proactive cyber defense helped the cause. Given the continued demand for illicit modifications of state registers, it is crucial for government agencies to enhance their cybersecurity frameworks and collaborate closely with cybersecurity authorities to counter evolving threats.
For further details and incident reporting, affected entities are urged to contact CERT-UA and the Notarial Chamber of Ukraine’s Cybersecurity Commission immediately.
