Cyble Research and Intelligence Labs (CRIL) researchers have observed the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT) through the use of Python-related files.
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, “pkg.zip” and “NewCopy.xlsx”, from a specified URL. The LNK shortcut file then executes “pythonw.exe” using the start command, which duplicates files and stores them in a new folder. The “pythonw.exe” loads a malicious DLL, “python310.dll”, through DLL sideloading, injecting shellcode into the MSBuild process.
The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence.
The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities.
While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:
The campaign demonstrates UAC-0184’s relentless efforts at attacking Ukraine with evasive techniques. The use of the XWorm RAT as the final payload indicates the intent to establish remote access over compromised systems for strategic purposes.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Taiwan cyber risk concerns rise after 726 cybersecurity incidents involving ransomware, fake software, and supply chain threats.
Wireshark 4.6.6 fixes ROHC Dissector Crash and global-buffer-overflow bugs, improving Windows support and parser stability.
To reduce exposure to these attacks, the FBI advised organizations to restrict or block device code authentication flows wherever possible.
TCE weekly roundup covers cybersecurity threats, AI misuse, supply chain attacks, and global incidents shaping today’s evolving cyber risk landscape.
The pitch for "Active Listening," an AI-powered advertising service that listened to consumers' real-world conversations through their smartphones and smart…
The report stressed that organizations need clearer governance policies around AI usage as adoption continues accelerating across workplaces.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More