top of page
Buscar

UAC-0050 Expands Into Western Europe: Spoofed Judicial Domains and RMS-Based Intrusions

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 3 días
  • 3 Min. de lectura

The Russia-aligned threat actor UAC-0050 (also known as DaVinci Group and designated Mercenary Akula by BlueVoyant) has targeted a Western European financial institution involved in regional development and reconstruction efforts. The operation marks a potential expansion beyond its historically Ukraine-focused targeting. The spear-phishing campaign specifically targeted a senior legal and policy advisor involved in procurement — a position with privileged visibility into financial mechanisms and institutional operations — suggesting objectives aligned with intelligence gathering and possible financial theft.


Phase 1: Social Engineering Through Spoofed Judicial Domains 


The attack chain begins with a carefully crafted spear-phishing email leveraging legal themes. The email spoofed a Ukrainian judicial domain to increase legitimacy and exploit contextual trust linked to ongoing geopolitical developments.

The message directed the recipient to download an archive file hosted on PixelDrain, a legitimate file-sharing service frequently abused to bypass reputation-based security controls. By outsourcing payload hosting to a trusted platform, the attackers reduced the likelihood of automated blocking.

This phase reflects UAC-0050’s known modus operandi: exploiting institutional credibility and trusted services rather than relying on technical exploitation alone.


Phase 2: Multi-Layered Archive Delivery and Execution 


Once downloaded, the archive initiated a deliberately layered infection chain:

  1. A ZIP archive containing

  2. A nested RAR file

  3. A password-protected 7-Zip archive

  4. An executable disguised using a double-extension technique (*.pdf.exe)

The double-extension trick allowed the malicious executable to masquerade as a PDF document, exploiting user assumptions about file types.

Upon execution, the payload deployed an MSI installer that installed Remote Manipulator System (RMS) — legitimate Russian-developed remote desktop software capable of remote control, desktop sharing, and file transfers.

The use of RMS illustrates a classic “living-off-the-land” strategy: leveraging legitimate remote administration tools to blend malicious activity into normal administrative patterns and evade traditional antivirus detection.


Phase 3: Remote Access, Intelligence Collection, and Financial Exposure 


Once installed, RMS provided the attacker with:

  • Full remote desktop control

  • File transfer capabilities

  • Persistent remote access

Given the target’s role in procurement and financial oversight, this level of access could enable:

  • Collection of sensitive financial documentation

  • Intelligence on reconstruction funding mechanisms

  • Access to internal communications

  • Potential financial manipulation or fraud preparation

CERT-UA has previously characterized UAC-0050 as a mercenary group associated with Russian law enforcement agencies, conducting data gathering, financial theft, and information/psychological operations under the “Fire Cells” branding.

Historically, UAC-0050 has targeted Ukrainian accountants and financial officers using tools such as RMS, LiteManager, and RemcosRAT. This new campaign suggests a strategic broadening toward Ukraine-supporting institutions in Western Europe.


Strategic Context: Broader Russian Intelligence Activity


The campaign aligns with broader Russia-nexus threat activity:

  • Ukraine has reported increasing cyber operations aimed at collecting intelligence to guide physical military targeting.

  • CrowdStrike’s Global Threat Report highlights continued aggressive intelligence operations by Russian-aligned adversaries against Ukrainian targets and NATO member states.

  • APT29 (Cozy Bear / Midnight Blizzard) has systematically exploited trusted relationships to compromise NGOs and legal entities via Microsoft account access.

The UAC-0050 operation fits into this wider pattern of intelligence-driven campaigns targeting institutions connected to Ukraine.


Defensive Measures 


Organizations, especially financial and reconstruction-related entities, should implement:

  • Strict filtering of spoofed or lookalike domains

  • Blocking execution of double-extension files (*.pdf.exe)

  • Restricting MSI installer execution where unnecessary

  • Monitoring abuse of legitimate remote tools (RMS, LiteManager, RemcosRAT)

  • Enforcing multi-factor authentication (MFA) on privileged accounts

  • Detecting archive-staged delivery chains (ZIP → RAR → 7z)

  • Deploying behavioral EDR to flag anomalous remote sessions and file transfers

  • Conducting role-based access segmentation for procurement and financial staff


This campaign does not introduce novel malware or zero-day exploitation. Instead, it reinforces a pattern: careful social engineering, trusted infrastructure abuse, layered archive delivery, and the deployment of legitimate remote administration tools for stealthy persistence.


The targeting of a Western European reconstruction-linked financial institution suggests strategic probing beyond Ukraine, potentially aiming to map financial flows, institutional structures, and geopolitical support mechanisms.


UAC-0050 continues to demonstrate that disciplined tradecraft, not technical novelty, remains highly effective in intelligence-driven operations.



The Hacker News


 
 
 

Comentarios

bottom of page