The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE.
“This research focuses on completing the picture of UAC-0063’s operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the UK, the Netherlands, Romania, and Georgia,” Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News.
UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It’s suspected to share links with a known Russian state-sponsored actor called APT28.
Merely weeks later, the Computer Emergency Response Team of Ukraine (CERT-UA) – which assigned the threat cluster the moniker – revealed that the hacking group has been operational since at least 2021, attacking state bodies in the country with a keylogger (LOGPIE), an HTML Application script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and DownEx.
There is evidence that UAC-0063 has also targeted various entities in organizations in Central Asia, East Asia, and Europe, according to Recorded Future’s Insikt Group, which has assigned the threat actor the name TAG-110.
Earlier this month, cybersecurity firm Sekoia disclosed that it identified a campaign undertaken by the hacking crew that involved using documents stolen from the Ministry of Foreign Affairs of the Republic of Kazakhstan to spear-phish targets and deliver the HATVIBE malware.
The latest findings from Bitdefender demonstrate a continuation of this behaviour, with the intrusions ultimately paving the way for DownEx, DownExPyer, and a newly discovered USB data exfiltrator codenamed PyPlunderPlug in at least one incident targeting a German company in mid-January 2023.
DownExPyer comes fitted with varied capabilities to maintain a persistent connection with a remote server and receive commands to collect data, execute commands, and deploy additional payloads. The list of tasks obtained from the command-and-control (C2) server is below –
- A3 – Exfiltrate files matching a specific set of extensions to C2
- A4 – Exfiltrate files and keystroke logs to C2 and delete them after transmission
- A5 – Execute commands (by default the “systeminfo” function is called to harvest system information)
- A6 – Enumerate the file system
- A7 – Take screenshots
- A11 – Terminate another running task
“The stability of DownExPyer’s core functionalities over the past two years is a significant indicator of its maturity and likely long-standing presence within the UAC-0063 arsenal,” Zugec explained. “This observed stability suggests that DownExPyer was likely already operational and refined prior to 2022.”
Bitdefender said it also identified a Python script designed to record keystrokes – likely a precursor to LOGPIE – on one of the compromised machines that was infected with DownEx, DownExPyer, and HATVIBE.
“UAC-0063 exemplifies a sophisticated threat actor group characterized by its advanced capabilities and persistent targeting of government entities,” Zugec said.
“Their arsenal, featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with potential Russian strategic interests.”
