Cyble Research and Intelligence Labs (CRIL) researchers have recently uncovered a cyber threat targeting Ukraine by the Russia-linked threat actor group UAC-0184. This group has been utilizing the XWorm remote access trojan (RAT) in their attacks, using Python-related files as part of their malicious campaign.
The campaign initiated with the distribution of a deceptive LNK shortcut file disguised as a legitimate Excel document. Once executed, this file triggers a PowerShell script that downloads two files, “pkg.zip” and “NewCopy.xlsx”, from a specified URL. Subsequently, the LNK shortcut file runs “pythonw.exe” through the start command, leading to the duplication of files and their storage in a new folder. The malicious activity continues as “pythonw.exe” loads a harmful DLL, “python310.dll”, via DLL sideloading, injecting shellcode into the MSBuild process.
The hackers involved in this campaign have employed sophisticated techniques such as DLL sideloading to deceive security measures and inject the XWorm RAT into running processes using a tool called Shadowloader. This covert approach aims to conceal the presence of the malware and evade detection.
Upon execution, the XWorm RAT offers a range of capabilities, including data theft, DDoS attacks, and manipulation of cryptocurrency addresses. Despite attempting to connect to a Command-and-Control (C&C) server, the server was inactive during analysis, resulting in no observable malicious activities at that time.
While the exact method of initial infection remains uncertain, researchers suspect phishing emails as a potential vector. The targeted victims’ identity could not be determined based on the Excel lure utilized in the campaign. Previous observations by CRIL researchers indicate that the UAC-0184 threat actor group tailors their lures to entice Ukrainian targets, often mimicking official government or utility communications.
To combat the XWorm RAT malware and similar threats, Cyble researchers advise implementing robust email filtering to block malicious attachments, exercising caution with email attachments from unknown senders, limiting the execution of scripting languages, utilizing application whitelisting, deploying effective antivirus and anti-malware solutions, enforcing strong passwords and two-factor authentication, and monitoring networks for suspicious activities.
This campaign illustrates the persistent efforts of UAC-0184 in targeting Ukraine with evasive tactics. The utilization of the XWorm RAT as the final payload signifies the group’s intention to establish remote access on compromised systems for strategic purposes.
In conclusion, this report serves as a reminder for users to exercise caution and adopt proactive security measures to safeguard against evolving cyber threats. The constantly evolving landscape of cyber attacks necessitates vigilance, effective defense strategies, and continuous monitoring to mitigate risks and protect critical systems and data.