Cybersecurity researchers issue a heads-up covering a new targeted cyber attack by the UAC-0057 group against Ukrainian public officials leveraging XLS files that contain a malicious macro spreading PicassoLoader malware. The malicious loader is capable of dropping another malicious strain dubbed njRAT to spread the infection further.
PicassoLoader and njRAT Malware Distribution by UAC-0057 Hackers: Attack Description
On July 7, 2023, CERT-UA researchers uncovered a couple of XLS documents, one of which contained a legitimate macro, while the other included a malicious one that was used by hackers at the initial attack stage. The latter aimed to decode, decipher, maintain persistence, and execute the nefarious PicassoLoader malware on the targeted systems. Attackers also leveraged PicassoLoader to download, decipher, and run njRAT remote access utility.
The latest attack can be linked to the UAC-0057 group also identified as GhostWriter, which has been behind June’s adversary campaign against one of the Ukrainian universities spreading PicassoLoader and Cobalt Strike Beacon. In the ongoing offensive operation covered in the corresponding CERT-UA#6948 alert, UAC-0057 attackers also target the Ukrainian public authorities.
The investigation has uncovered that the PicassoLoader malware won’t be deployed by hackers if the system has security protection by Avast, FireEye, and Fortinet products.
Detecting UAC-0057 Attacks Leveraging PicassoLoader and njRAT
To equip security teams with relevant detection algorithms to proactively spot the latest UAC-0057 cyber-attacks against Ukraine, SOC Prime Platform for collective cyber defense aggregates a batch of Sigma rules. Users can obtain this threat detection stack by pressing the Explore Detections button below or by applying relevant custom tags “CERT-UA#6948” and “UAC-0057” associated with the security heads-up and threat actor´s identifiers.
All the rules are mapped to the MITRE ATT&CK® framework v12, accompanied by extensive threat intel, and compatible with 28+ SIEM, EDR, and XDR technologies to match organization-specific cybersecurity needs.
For streamlined hunts, teams can look for IOCs linked to the UAC-0057 collective with the help of Uncoder AI. Just copy-paste relevant IOCs listed by CERT-UA in the latest alert into Uncoder AI and choose the targeted content type to seamlessly build a custom IOC query matching your technology stack and current security needs.
MITRE ATT&CK Context
To review a broader context linked to the most recent UAC-0057 operation covered in the CERT-UA#6948 alert, all related Sigma rules are aligned with ATT&CK v12 addressing the relevant adversary TTPs:
Tactics |
Techniques |
Sigma Rule |
Initial Access |
Phishing (T1566) |
|
Defense Evasion |
System Binary Proxy Execution (T1218) |
|
Execution |
Command and Scripting Interpreter (T1059) |
|
Windows Management Instrumentation (T1047) |
||
Discovery |
Software Discovery (T1518) |
|
Command and Control |
Application Layer Protocol (T1071) |
The post PicassoLoader and njRAT Detection: UAC-0057 Hackers Perform a Targeted Attack Against Ukrainian Public Entities appeared first on SOC Prime.