The recent cyber campaign launched by threat actor UAC-0218 has sparked concern as a new malware variant named HOMESTEEL targets critical data repositories in Ukraine. Ukraine’s Computer Emergency Response Team (CERT-UA) has raised the alarm over this offensive, signaling the persistent threat posed by adversaries seeking to steal sensitive information from government and business networks.
CERT-UA has identified the phishing tactics employed by the attackers, using emails with familiar subject lines like “account” and “details” to lure recipients into clicking on links leading to a seemingly legitimate “eDisk” platform. Once users download RAR files from the platform, they unknowingly expose their systems to the malicious HOMESTEEL malware. This malware initiates data-siphoning operations through a hidden Visual Basic Script (VBS) file, “Password.vbe,” embedded within the downloaded files.
One alarming aspect of HOMESTEEL is its ability to adapt to proxy settings on compromised systems, making it harder to detect and trace the origin of the malicious network traffic. Each outbound request to the attacker’s server includes the full path of the extracted files, enabling the attackers to catalog sensitive information across compromised systems with precision. This level of customization indicates a sophisticated level of surveillance intelligence beyond typical malware attacks.
The malware’s reliance on PowerShell, a command-line shell widely used in Windows environments, adds another layer of complexity to the attack. Powering further reconnaissance on compromised systems, HOMESTEEL scans user directories for specific file extensions and transmits them to a central server via HTTP POST requests. This dual-methodology approach underscores the malware’s resilience in overcoming security obstacles encountered during the initial infection.
Furthermore, the infrastructure tactics employed in the HOMESTEEL campaign have been linked back to previous attacks in August 2024, based on domain registration data. The attackers leveraged HostZealot as a domain name registrar and configured a Python-based web server for data reception. This link to prior attacks demonstrates a persistent strategy by threat actor UAC-0218, utilizing existing assets to streamline operations and increase efficiency.
The HOMESTEEL campaign underscores the ongoing challenge posed by cyber aggression against Ukraine. CERT-UA’s proactive monitoring of UAC-0218 signals a critical awareness of evolving malware tactics and sophisticated phishing techniques targeting Ukrainian networks. With indicators of compromise shared by CERT-UA, including file hashes, network addresses, and host details, cyber defenders have valuable insights to enhance their defense mechanisms and mitigate future threats.
As Ukraine continues to face evolving cyber espionage campaigns, the vigilance and proactive measures taken by CERT-UA are crucial in safeguarding critical data and infrastructure from malicious actors. The HOMESTEEL campaign serves as a stark reminder of the persistent threat landscape facing Ukraine and the need for robust cybersecurity measures to protect against sophisticated cyber attacks.