Cyble Research and Intelligence Labs (CRIL) researchers have observed the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT) through the use of Python-related files.
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, “pkg.zip” and “NewCopy.xlsx”, from a specified URL. The LNK shortcut file then executes “pythonw.exe” using the start command, which duplicates files and stores them in a new folder. The “pythonw.exe” loads a malicious DLL, “python310.dll”, through DLL sideloading, injecting shellcode into the MSBuild process.
The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence.
The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities.
While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.
Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:
- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
The campaign demonstrates UAC-0184’s relentless efforts at attacking Ukraine with evasive techniques. The use of the XWorm RAT as the final payload indicates the intent to establish remote access over compromised systems for strategic purposes.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
