CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, reported a resurgence of the notorious criminal group UAC-0173. This group, known for orchestrating targeted cyberattacks on critical Ukrainian state infrastructure, has recently focused its efforts on Ukraine’s notary offices. Their primary goal: to gain unauthorized remote access to notary computers and manipulate state registers for monetary gain.
The Ministry of Justice of Ukraine and the State Special Communications Service have been particularly active in defending against these attacks, which are part of a broader cyber-espionage campaign aimed at destabilizing Ukraine’s public records systems. The attacks employ sophisticated malware, advanced tools for system exploitation, and various techniques to circumvent security measures like User Account Control (UAC).
The Attack Methodology of UAC-0173 Group
The UAC-0173 group first emerged in late January 2025 when CERT-UA began monitoring suspicious activity targeting Ukrainian notary systems. The attackers used email messages disguised as official communications from the Ministry of Justice of Ukraine. These emails included links to malicious files such as “HAKA3.exe” and “Order of the Ministry of Justice of February 10, 2025 No. 43613.1-03.exe.” When opened, these files deployed the DARKCRYSTALRAT (DCRAT) malware, which allowed the attackers to establish initial access to the targeted systems.
Once access was gained, the attackers installed additional malicious software, including RDPWRAPPER. This tool enables multiple Remote Desktop Protocol (RDP) sessions, effectively bypassing local security controls and allowing the attackers to gain direct access to the affected computers. By using tools like BORE, they were able to create RDP connections from the internet, making their operations more difficult to trace.
The group also leveraged the FIDDLER proxy/sniffer tool to intercept login credentials used in web interfaces of state registers, while the XWORM stealer was employed to steal sensitive data such as usernames and passwords from the clipboard and keystrokes.
CERT-UA’s Response and Cybersecurity Measures
Upon discovering the renewed attacks, CERT-UA quickly took action to protect vulnerable systems. Working in collaboration with the Cybersecurity Commission of the Notarial Chamber of Ukraine, CERT-UA identified compromised systems across six regions of Ukraine. These systems were quickly isolated and secured, preventing the attackers from completing their malicious activities in some cases.
The Ministry of Justice of Ukraine, together with CERT-UA, also provided guidance to notaries to configure their systems in ways that would reduce the likelihood of successful attacks. Despite these efforts, the demand for services to alter state registers remains high, making it likely that UAC-0173 will continue to target notarial systems in the future.
CERT-UA urged notaries to remain vigilant and report any suspicious activity immediately. The cooperation between Ukraine’s law enforcement agencies, the Cybersecurity Commission of the National Police of Ukraine, and CERT-UA remains vital in the ongoing fight against cybercriminals targeting the country’s public sector.
Tools and Tactics
The attackers used an array of advanced tools to carry out their campaign. Key malware families involved include DCRAT and XWORM. These tools allowed the attackers to exfiltrate data, monitor victim activities, and further compromise systems. Additionally, the use of RDPWRAPPER enabled the attackers to execute parallel RDP sessions, increasing their control over the compromised systems.
Some of the malicious files identified by CERT-UA include:
- RDPWInst.exe – Used to install the RDPWrapper tool
- install.bat – A batch file to execute other malicious programs
- HAKA3.exe – The file responsible for installing the DCRAT malware
- bore.exe – Used to facilitate RDP connections from the internet
- xupwork3.exe – Likely another piece of malware used to maintain persistence on the compromised systems
These tools were deployed through various methods, including email attachments and direct downloads from compromised websites. The attackers also used legitimate file storage services to host malicious files, making detection more difficult for traditional security tools.
Indicators of Compromise (IOCs)
The attack campaign also left a trail of indicators of compromise (IOCs), which help cybersecurity experts track the activities of UAC-0173. Some of the IOCs identified by CERT-UA include suspicious file names and URLs that were used in the attack:
File Hashes:
- 3288c284561055044c489567fd630ac2
- cbad5b2ca73917006791882274f769e8
- A6b692e0ed3d5cd6fd20820dd06608ac
Malicious URLs:
- hXXps://87.120.126[.]48/1pm
- hXXps://194[.]0.234.155/for your information.exe
- hXXps://91[.]92.246.18/upl/t1.exe
By monitoring these indicators, cybersecurity teams can better identify ongoing attacks and implement countermeasures to protect Ukrainian state institutions from further breaches.
The Role of RDPWRAPPER in the Attack
One of the most malicious tools used by the attackers in this campaign was RDPWRAPPER. This tool is designed to bypass local security protocols and enable multiple RDP sessions on the infected machine. In combination with other tools like BORE and FIDDLER, RDPWRAPPER allowed the attackers to establish persistent access to notary systems, enabling them to execute further malicious actions such as altering state registers.
The deployment of RDPWRAPPER also highlights the sophistication of the attack, as the tool effectively bypasses security measures such as User Account Control (UAC), which is designed to prevent unauthorized access to critical system functions.
Conclusion
As the demand for unauthorized modifications to Ukraine’s state registers remains high, UAC-0173 and other cybercriminal groups are expected to continue their efforts. The collaboration between CERT-UA, the Ministry of Justice of Ukraine, and law enforcement agencies will be critical in mitigating the impact of these attacks.
Additionally, the ongoing efforts to secure notarial systems and state registers, as well as the deployment of advanced cybersecurity tools, will be essential in reducing the attack surface and preventing further breaches. Notaries are urged to remain vigilant and report any suspicious activity to CERT-UA to enable timely response and mitigation.