Cyberattack on Ukrainian Notaries: UAC-0173 Targets with DarkCrystal RAT

By /

Listen to this Post

2025-02-28

In January 2025, Ukraine’s Computer Emergency Response Team (CERT-UA) issued an urgent alert regarding a new cyberattack campaign targeting Ukrainian notaries. The threat, identified as originating from the cybercriminal group UAC-0173, involves a remote access Trojan (RAT) known as DarkCrystal RAT (also referred to as DCRAT). This attack leverages phishing emails to deliver malicious files, leading to a series of dangerous exploits aimed at stealing sensitive information and gaining unauthorized access to notarial systems.

the Attack

The attack began in mid-January 2025, with phishing messages masquerading as communications from Ukraine’s Ministry of Justice. These emails contained links to malicious executables hosted on Cloudflare’s R2 cloud storage service. Upon downloading and executing the file, the targeted systems were infected with DarkCrystal RAT, which enables the attackers to remotely control the infected machines.

UAC-0173 uses various tools like RDPWRAPPER and BORE to bypass User Account Control (UAC), establish remote desktop access, and scan networks using NMAP. The attackers also employ FIDDLER to intercept authentication credentials, stealing sensitive login information through the XWORM info-stealer malware. Additionally, compromised systems were exploited to send out more malicious emails, spreading the infection further.

The CERT-UA report highlights the

What Undercode Says:

This campaign targeting Ukrainian notaries reveals the increasing sophistication of cybercriminal activities, particularly in politically charged regions. The use of DarkCrystal RAT is noteworthy, as it enables the attackers to maintain persistent access to victim systems, exfiltrate data, and potentially cause long-term damage to critical infrastructures. The attackers’ reliance on tools like RDPWRAPPER and BORE demonstrates their ability to bypass common security measures, allowing them to establish covert remote access without raising alarms.

In addition to the RAT itself, the campaign also uses widely available network scanning and data-sniffing tools like NMAP and FIDDLER. These are often employed by skilled threat actors to locate vulnerable systems and intercept sensitive credentials, which can be exploited for further intrusion. The XWORM info-stealer, known for its ability to capture clipboard data and log keystrokes, is a key tool in this attack chain, allowing the attackers to harvest a wealth of sensitive information, such as passwords and personal details.

The fact that CERT-UA was able to respond quickly and provide security recommendations is a testament to the strength of Ukraine’s cybersecurity infrastructure. However, the broader implications are concerning. Notaries handle highly sensitive legal documentation, making them an attractive target for adversaries looking to steal confidential information or disrupt essential services.

From an analytical standpoint, the use of cloud services like Cloudflare’s R2 storage as a malware distribution vector is increasingly common among threat actors. This raises important questions about the responsibility of cloud providers in securing their platforms against abuse. As this trend continues, organizations worldwide may need to reassess their cybersecurity strategies and improve their defenses against similar tactics.

What stands out in this attack is the seamless integration of both targeted phishing and malware-based exploitation. Phishing remains one of the most effective means of infiltrating secure systems, often bypassing traditional defenses. This highlights the need for enhanced training and awareness for potential targets, particularly notaries and other professionals handling sensitive data.

UAC-0173’s exploitation of Ukrainian governmental systems also underscores the ongoing cyberwarfare in Eastern Europe. With tensions rising between Ukraine and adversarial states, cyberattacks like these could be seen as a form of digital aggression designed to undermine trust in state institutions. As such, Ukraine must continue to prioritize cybersecurity investments, with a focus on defending critical infrastructure.

The attack also serves as a warning to organizations everywhere about the risks of relying on outdated or vulnerable systems. Ukrainian notaries were the immediate target in this case, but the methods employed by UAC-0173 can be adapted to other sectors, particularly those dealing with financial or legal data.

Fact Checker Results

  • Phishing Campaign: CERT-UA’s analysis confirms phishing as the entry point, with the use of deceptive emails containing executable file links.
  • Use of RAT and Tools: Verified that DarkCrystal RAT (DCRAT) and auxiliary tools like RDPWRAPPER, NMAP, and XWORM were used for remote access and data exfiltration.
  • Impact on Ukrainian Regions: Six regions affected, with CERT-UA and local authorities actively mitigating the threat and improving security.

References:

Reported By: https://securityaffairs.com/174723/cyber-crime/uac-0173-targets-the-notary-office-of-ukraine.html
Extra Source Hub:
https://www.quora.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: