Analysis of UAC-0050 Mass Phishing Campaigns: CVE-2024-43451 (CVSS 6.5) and CERT-UA
Estimated Reading Time: 7 minutes
Key Takeaways:
- UAC-0050 remains a persistent threat to Ukrainian infrastructure, utilizing high-volume social engineering and mass mailing.
- The group exploits CVE-2024-43451, a Windows vulnerability that discloses NTLM hashes with minimal user interaction.
- Primary payloads include RemcosRAT for full system control and MedusaHTTP for botnet capabilities.
- Mitigation requires a combination of SMB security hardening, Kerberos migration, and advanced threat intelligence monitoring.
Table of Contents:
- Tactical Analysis of Recent CERT-UA Findings on UAC-0050
- Payload Analysis: RemcosRAT and MedusaHTTP
- Exploitation of CVE-2024-43451
- Monitoring Dark Web and Telegram Channels
- Real-Time Intelligence and Ransomware Proximity
- Infrastructure and Obfuscation
- Protecting the Supply Chain and Brand Integrity
- Practical Takeaways for Mitigation
- PurpleOps Expertise in Threat Mitigation
- Frequently Asked Questions
The Computer Emergency Response Team of Ukraine (CERT-UA) recently identified a surge in targeted mass mailing campaigns orchestrated by the threat actor designated as UAC-0050. These operations frequently leverage social engineering tactics and known vulnerabilities, such as CVE-2024-43451 (CVSS 6.5), to deploy various Remote Access Trojans (RATs) including RemcosRAT and MedusaHTTP. The persistent targeting of governmental and private sector entities within Ukraine and neighboring regions underscores a systematic approach to data exfiltration and credential theft.
Tactical Analysis of Recent CERT-UA Findings on UAC-0050
The UAC-0050 threat group is a well-documented cluster of activity that primarily focuses on espionage and financial gain. Their methodology involves the distribution of malicious emails that impersonate judicial authorities, tax services, or popular software providers. According to reports from CERT-UA, the group has refined its delivery chain to bypass traditional perimeter security measures.
The infection vector typically begins with a phishing email containing an attachment, such as a password-protected archive (ZIP or 7z). Inside these archives are often disguised executable files or LNK files. In recent campaigns, the group has exploited CVE-2024-43451 (CVSS 6.5), a vulnerability in Windows that allows for NTLM hash disclosure. This flaw is triggered when a user interacts with a specially crafted file, such as by right-clicking or even hovering over it in specific environments. The disclosure of an NTLM hash provides the attacker with the necessary credentials to perform “pass-the-hash” attacks or conduct offline brute-force attempts to crack the user’s password.
To effectively manage these risks, organizations utilize a cyber threat intelligence platform to aggregate indicators of compromise (IOCs) and monitor for shifts in UAC-0050’s tactics. This proactive approach is necessary because the group frequently updates its command-and-control (C2) infrastructure and payload obfuscation techniques to avoid detection by signature-based antivirus solutions.
Payload Analysis: RemcosRAT and MedusaHTTP
The primary goal of UAC-0050 is the deployment of the RemcosRAT. Remcos (Remote Control & Surveillance) is a commercially available tool that has been repurposed by cybercriminals for unauthorized access. Once executed, RemcosRAT provides the attacker with full control over the infected host.
Technical capabilities of RemcosRAT include:
- Keylogging: Capturing keystrokes to steal credentials, banking information, and private communications.
- Screen Capturing: Taking screenshots or recording video of the user’s desktop.
- Audio/Video Surveillance: Activating the microphone and webcam without the user’s knowledge.
- File Management: Uploading, downloading, and executing files on the local system.
- System Manipulation: Terminating processes, modifying the registry, and managing services.
In addition to RemcosRAT, UAC-0050 has been observed using MedusaHTTP, a specialized botnet agent designed for data theft and potentially launching Distributed Denial of Service (DDoS) attacks. The coexistence of these tools suggests a tiered approach to infection where the group prioritizes long-term persistence and wide-scale data collection.
Detecting these payloads requires advanced breach detection capabilities. Traditional antivirus often fails to identify the obfuscated loaders used by UAC-0050. These loaders use multiple layers of decryption and process hollowing to inject the malware directly into the memory of legitimate Windows processes like explorer.exe or svchost.exe.
Exploitation of CVE-2024-43451
The inclusion of CVE-2024-43451 (CVSS 6.5) in the UAC-0050 toolkit represents a strategic shift toward exploiting local Windows vulnerabilities to facilitate credential theft. This specific vulnerability involves an NTLM Hash Disclosure issue. Unlike many other vulnerabilities that require the user to execute a file, CVE-2024-43451 can be triggered by minimal interaction with a malicious file.
When a user selects or right-clicks a file designed to exploit this flaw, the Windows Shell improperly handles the file’s properties. This leads to an outbound SMB connection to an attacker-controlled server, during which the user’s NTLM hash is transmitted.
For engineers, this necessitates a focus on SMB security. Implementing SMB signing and disabling LLMNR/NBT-NS are critical steps in mitigating the impact of NTLM relay and disclosure attacks. Furthermore, supply-chain risk monitoring is essential when lures involve accounting software like M.E.Doc, which has historically been a high-interest target in Ukrainian cybersecurity incidents.
Monitoring Dark Web and Telegram Channels
UAC-0050 and similar actors often utilize the dark web to acquire new versions of RATs and to trade stolen data. A dark web monitoring service is vital for identifying if corporate credentials or sensitive internal documents have been leaked following a successful UAC-0050 breach. These services provide early warnings that an internal system may have been compromised before the malware begins its final exfiltration phase.
In addition to traditional underground forums, the use of telegram threat monitoring has become increasingly important. Threat actors use Telegram as a decentralized C2 platform and as a medium for coordinating mass mailing campaigns. UAC-0050 has been known to use Telegram bots to receive notifications about new infections, including system metadata and geographic location.
By analyzing the communications within these channels, analysts can gain underground forum intelligence that reveals the specific lures and domains being prepared for upcoming campaigns. This intelligence allows organizations to block malicious URLs and file hashes at the firewall and mail gateway levels before they reach the end-user.
Real-Time Intelligence and Ransomware Proximity
While UAC-0050’s current focus remains on espionage and credential theft, the deployment of RATs is frequently a precursor to ransomware. Once an attacker has established a foothold and exfiltrated valuable data, they may transition to deploying file-encrypting malware to maximize the profit from the intrusion.
Access to real-time ransomware intelligence allows security teams to correlate the behavior of UAC-0050 with known ransomware deployment patterns. For instance, if an infected host shows signs of lateral movement via Cobalt Strike or Brute Ratel-tools often used after the initial RemcosRAT infection-it may indicate an imminent ransomware phase.
Integrating a live ransomware API into an organization’s Security Information and Event Management (SIEM) system ensures that telemetry from infected endpoints is compared against the latest global ransomware indicators. This level of automation is necessary for rapid response in environments where the time between initial infection and full-scale encryption is decreasing.
Infrastructure and Obfuscation
The infrastructure used by UAC-0050 for C2 operations often involves a mix of compromised legitimate websites and dedicated Virtual Private Servers (VPS). The group utilizes Dynamic DNS (DDNS) services to frequently change the IP addresses associated with their C2 domains, making IP-based blocking less effective over time.
The malware itself employs sophisticated obfuscation. The RemcosRAT payload is often “packed” or “wrapped” in multiple layers of code that serve no purpose other than to confuse static analysis tools. During execution, the malware performs environment checks to determine if it is running in a sandbox or a virtual machine. If such an environment is detected, the malware will terminate or behave as a benign application to evade detection by automated breach detection systems.
To maintain persistence, the malware modifies the Windows Registry. Common keys targeted include:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Protecting the Supply Chain and Brand Integrity
The lures used by UAC-0050 often impersonate reputable brands or essential business services. This creates a dual risk: the direct threat of infection and the indirect threat to brand reputation. Brand leak alerting helps organizations understand if their own domains or brand identities are being used in phishing campaigns targeting other entities.
When a threat actor spoofs a company’s domain to send malicious emails, it can lead to the domain being blacklisted, disrupting legitimate business communication. Furthermore, supply-chain risk monitoring must extend to third-party vendors who may have lower security standards and could serve as an entry point for actors like UAC-0050 to reach their ultimate target.
Practical Takeaways for Mitigation
Technical Recommendations
- Disable NTLM Where Possible: Move toward Kerberos authentication. For systems where NTLM is required, ensure NTLMv2 is enforced and SMB signing is required globally.
- Restrict Outbound SMB: Block outbound traffic on port 445 (SMB) at the network perimeter to prevent NTLM hash leakage.
- Application Whitelisting: Use WDAC or AppLocker to prevent unauthorized binaries in user-writable directories like %APPDATA%.
- Audit LNK Execution: Monitor the creation and execution of .lnk, .vbs, and .ps1 files used in the initial stages of infection.
Non-Technical Recommendations
- Verify Email Sources: Confirm the identity of senders for emails regarding invoices or legal documents via a secondary channel.
- Archive Caution: Be skeptical of password-protected .zip or .7z files received via email.
- Enable MFA: Ensure Multi-Factor Authentication is active on all corporate and personal accounts.
- Least Privilege: Do not use administrative accounts for daily tasks like checking email.
PurpleOps Expertise in Threat Mitigation
PurpleOps provides comprehensive solutions to address the threats posed by groups like UAC-0050. Our cyber threat intelligence services offer deep insights into actor motivations and technical methodologies, allowing organizations to stay ahead of the latest campaign trends.
By utilizing our dark web monitoring, companies can detect credential leaks and unauthorized data sales before they result in a full-scale breach. Our platform integrates these intelligence feeds to provide a unified view of the threat environment.
For organizations concerned about the integrity of their infrastructure, our and red team operations simulate the tactics of advanced persistent threats (APTs). These exercises identify vulnerabilities like CVE-2024-43451 and test the effectiveness of existing breach detection controls.
Additionally, our focus on supply chain information security helps businesses evaluate the risks posed by their vendors and partners. For entities concerned about the final stages of an attack, our protection against ransomware services ensure that systems are resilient and capable of recovery. Explore our full range of PurpleOps Solutions for more information.
Frequently Asked Questions
What is the main danger of CVE-2024-43451?
The main danger is NTLM hash disclosure. It can be triggered by simple user interactions like right-clicking or hovering over a malicious file, allowing attackers to steal credentials without the user ever running an executable.
How does UAC-0050 typically deliver its malware?
UAC-0050 primarily uses mass phishing emails containing password-protected archives (ZIP/7z) that hide malicious LNK or executable files disguised as legitimate documents.
What are RemcosRAT and MedusaHTTP?
RemcosRAT is a remote access tool used for full system surveillance and control. MedusaHTTP is a botnet agent used for data theft and launching DDoS attacks.
How can I prevent NTLM hash theft?
Mitigation includes disabling NTLM in favor of Kerberos, blocking outbound SMB traffic on port 445, and enforcing SMB signing.