Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)
Essential information
- Published
- 20/12/2024 14:25
- Modified
- 20/12/2024 14:41
- Tags
- 2024-12-20 apt44 army+ cloudflare workers nsis openssh sandworm tor uac-0125
- Related entities
- 6 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 others
Description
A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.