UAC-0099 Hackers Weaponize HTA Files to Deliver MatchBoil Loader

UAC-0099 Hackers Weaponize HTA Files to Deliver MatchBoil Loader

A new cybersecurity threat is making headlines as the hacking group UAC-0099 is actively using HTA (HTML Application) files to deliver a malicious payload known as the MatchBoil loader. This sophisticated attack targets organizations, primarily in Ukraine, and highlights the evolving tactics used by cybercriminals.

GitHub - threatcat-ch/malware-analysis-pipeline: Lightweight Python-Based Malware Analysis Pipeline

Who is UAC-0099?

UAC-0099 is a threat actor known for targeting Ukrainian entities. They have been associated with various malware campaigns, often leveraging social engineering techniques like phishing emails to trick users into opening malicious attachments. Their attacks often involve the use of HTA, LNK, and RAR files to deliver their payloads.

The Role of HTA Files

HTA files are HTML Applications, which are essentially HTML, CSS, and JavaScript code packaged into a single file with the .hta extension. When opened, these files execute as trusted applications, bypassing some security restrictions. This makes them an attractive vector for malware distribution. In this case, UAC-0099 is using HTA files to initiate the infection chain.

Understanding the MatchBoil Loader

The MatchBoil loader is a C#-based program designed to drop additional malware onto the compromised system. Once the HTA file is executed, it triggers a Visual Basic Script (VBS) that creates a scheduled task for persistence. This ensures that the MatchBoil loader runs automatically, even after a system reboot. The loader then downloads and executes further malicious payloads, which could include keyloggers, stealers, or other types of malware.

Attack Chain Breakdown

1. Phishing Email: The attack typically starts with a phishing email containing a malicious HTA attachment.
2. HTA Execution: When the user opens the HTA file, it executes the embedded HTML, CSS, and JavaScript code.
3. VBS Script: The HTA file launches an obfuscated Visual Basic Script (VBS).
4. Persistence: The VBS creates a scheduled task to ensure the malware persists on the system.
5. MatchBoil Loader: The scheduled task executes the MatchBoil loader, a C#-based program.
6. Payload Delivery: MatchBoil downloads and executes additional malware on the host.

Impact and Mitigation

The primary impact of this attack is the potential compromise of sensitive data and systems. The additional malware dropped by the MatchBoil loader can steal credentials, monitor user activity, and cause significant disruption. To mitigate this threat, organizations should:

• Educate users about phishing emails and the dangers of opening suspicious attachments.
• Implement robust email security solutions to detect and block malicious emails.
• Keep software up to date to patch known vulnerabilities.
• Use endpoint detection and response (EDR) solutions to detect and respond to malicious activity.
• Monitor network traffic for suspicious activity.

Key Takeaways

The UAC-0099 campaign highlights the importance of staying vigilant against evolving cyber threats. The use of HTA files to deliver the MatchBoil loader demonstrates the creativity and persistence of threat actors. By understanding the attack chain and implementing appropriate security measures, organizations can significantly reduce their risk.

References

• CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court...
• https://user-images.githubusercontent.com/121763598/247978874-e086c6af-eaab-4ab6-b98d-818d6a95b571.png