Criminal Group UAC-0173 Targets Ukrainian Notary Office

A new wave of attacks has been reported by the Computer Emergency Response Team (CERT-UA) of Ukraine, targeting notaries in a coordinated effort by the notorious criminal group UAC-0173. Since mid-January 2025, CERT-UA has warned of a malicious campaign involving remote access trojan (RAT) malware, specifically DCRat (aka DarkCrystal RAT), aimed at compromising Ukrainian notaries.

The attack chain begins with phishing messages supposedly sent on behalf of territorial divisions of the Ministry of Justice of Ukraine. These messages contain links pointing to executable files hosted on Cloudflare's R2 cloud storage service. Upon launching these files, systems are infected with DCRat malware, which grants UAC-0173 remote access and enables the use of RDPWRAPPER, BORE, NMAP, and FIDDLER tools.

The attackers rely heavily on FIDDLER to intercept credentials and steal data via XWORM info-stealer. In addition, government experts have exploited compromised systems to send malicious emails using SENDEMAIL. This sophisticated attack vector allows the attackers to gain initial access to notaries' automated workspaces, install additional tools like RDPWRAPPER, and establish remote connections directly from the internet.

Attack Vector Breakdown

According to CERT-UA's report, UAC-0173 employs several tactics to bypass security measures:

  • RDPWRAPPER: Implements parallel RDP sessions, allowing attackers to access notaries' computers remotely.
  • BORE: Enables remote access and allows for network scanning using NMAP.
  • NMAP: Scans networks to identify potential vulnerabilities.
  • FIDDLER: Intercepts authentication data entered in the web interface of state registers, stealing logins and passwords.
  • XWORM: Steals logins and passwords from the clipboard and keyboard.

These tools combined create a formidable attack vector that notaries must be aware of to prevent exploitation.

Recommendations and Response Measures

CERT-UA, with the assistance of the Commission on Informatization, Digital Transformation, and Prevention of Cybercrime of the Notary Chamber of Ukraine, has provided recommendations for enhancing cybersecurity among potential targets. These measures include:

  • Enhancing user account control (UAC) mechanisms.
  • Implementing robust security settings.
  • Prioritizing regular software updates and patch management.
  • Conducting regular network scans using NMAP.

Additionally, CERT-UA has identified affected computers in six Ukrainian regions, prevented attacks, and provided security settings to notaries. The report emphasizes the importance of law enforcement agencies' involvement in combating this cyber threat and encourages notaries to immediately inform the Notary Chamber of Ukraine and CERT-UA if suspicious activity is detected.

Conclusion

The recent attack wave by UAC-0173 highlights the evolving nature of cyber threats. It is essential for notaries, law enforcement agencies, and cybersecurity professionals to stay vigilant and adapt their strategies to prevent exploitation. By following the recommendations outlined in CERT-UA's report, notaries can significantly enhance their security posture against this and future attacks.

Stay informed about the latest cybersecurity news and updates by following me on Twitter: @securityaffairs, Facebook, and Mastodon.