UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

The threat actor identified as UAC-0099 has been associated with ongoing cyberattacks targeting Ukraine, some of which exploit a critical vulnerability in WinRAR to deploy a malware variant known as LONEPAGE. According to cybersecurity firm Deep Instinct, “The threat actor primarily focuses on Ukrainian employees working for foreign companies.” This observation was made in a report published on Thursday. UAC-0099 was initially reported by Ukraine’s Computer Emergency Response Team (CERT-UA) in June 2023, outlining its cyber espionage activities against state institutions and media organizations. The attack strategy involved phishing emails containing malicious HTA, RAR, and LNK attachments, ultimately leading to the execution of LONEPAGE. This Visual Basic Script (VBS)-based malware establishes communication with a command-and-control (C2) server, enabling the retrieval of additional malicious payloads such as keyloggers, data stealers, and screenshot-capturing tools.
“UAC-0099’s tactics are straightforward yet highly effective,” Deep Instinct noted. “Regardless of the initial infection method, the core attack remains consistent—leveraging PowerShell and a scheduled task to execute a VBS script.” This development coincides with CERT-UA’s warning about a fresh phishing campaign distributing a remote access trojan (RAT) called Remcos RAT under the guise of overdue Kyivstar payments. CERT-UA attributed this operation to another threat group, UAC-0050. “Between 2022 and 2023, this group gained unauthorized remote access to several dozen computers in Ukraine,” CERT-UA reported.
Deep Instinct’s latest research highlights that HTA attachments are just one of three infection techniques used by UAC-0099. The other two methods involve self-extracting (SFX) archives and compromised ZIP files. These ZIP files exploit a known WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to distribute LONEPAGE.
In the first method, the SFX archive contains an LNK shortcut masquerading as a DOCX document for a court summons. It also features a Microsoft WordPad icon to deceive victims into opening it, triggering PowerShell commands that deploy LONEPAGE.
The second method involves a maliciously crafted ZIP archive exploiting CVE-2023-38831. Deep Instinct identified two such ZIP files created by UAC-0099 on August 5, 2023 just three days after WinRAR developers released a patch addressing the flaw.