Clement Brako Akomea Table of Contents
In a new cybersecurity threat, UAC-0125 exploits Cloudflare Workers to distribute malware disguised as the Army+ app, a platform created to digitize Ukraine’s military operations.
CERT-UA warns that this campaign is targeting military personnel and leveraging fake websites to trick users into downloading malicious software.
With connections to the infamous Sandworm group, this attack demonstrates the increasing sophistication of threat actors in exploiting legitimate services for malicious purposes.
Key Takeaway to UAC-0125 Exploits Cloudflare Workers:
- The abuse of legitimate platforms like Cloudflare Workers in cyberattacks emphasizes the need for vigilance and robust cybersecurity defenses.
UAC-0125’s Malicious Campaign Using Cloudflare Workers
CERT-UA recently uncovered a campaign by UAC-0125, where attackers are using Cloudflare Workers to host fake websites mimicking the official Army+ application.
Launched by Ukraine’s Ministry of Defense, Army+ aims to enhance operational efficiency by digitizing military processes.
However, cybercriminals have exploited this trusted platform to distribute malware.
When victims visit these fraudulent websites, they are prompted to download a Windows executable file named “ArmyPlusInstaller-v.0.10.23722.exe”. This installer, created using the Nullsoft Scriptable Install System (NSIS), contains:
| Component | Purpose |
|---|---|
Decoy File (ArmyPlus.exe) | Distracts users with a legitimate-looking application. |
| Python Interpreter | Supports the execution of scripts embedded in the installer. |
| Tor Archive | Enables anonymous communication to attacker-controlled servers. |
PowerShell Script (init.ps1) | Installs OpenSSH, generates RSA keys, and transmits sensitive information to attackers. |
When executed, these elements allow UAC-0125 to gain remote access to compromised systems through the Tor network.
UAC-0125’s Connection to Sandworm
CERT-UA notes that UAC-0125 is linked to UAC-0002, also known as Sandworm. This group, backed by Russia’s GRU (Unit 74455), is notorious for its long history of cyberattacks, including:
- 2015-2016: Blackouts caused by BlackEnergy malware.
- 2017: The global NotPetya ransomware outbreak.
- 2022: Industroyer 2 attacks targeting Ukraine’s power infrastructure.
This latest campaign aligns with Sandworm’s strategy of targeting Ukrainian military and critical infrastructure entities, emphasizing the persistent cyber threat Ukraine faces.
Rising Abuse of Legitimate Platforms
Beyond UAC-0125, cybercriminals are increasingly misusing trusted platforms like Cloudflare Workers to carry out phishing attacks and malware distribution. For instance:
| Platform | Incidents in 2023 | Incidents in 2024 (to date) | Percentage Increase |
|---|---|---|---|
| Cloudflare Pages | 460 | 1,370 | 198% |
| Cloudflare Workers | 2,447 | 4,999 | 104% |
This trend highlights the challenge of securing legitimate services against exploitation.
Sanctions and Global Implications
The European Council recently imposed sanctions against 16 individuals and three entities linked to Russia’s destabilizing activities. These include:
- GRU Unit 29155: Involved in assassinations and cyberattacks across Europe.
- Doppelganger Network: Spreads disinformation supporting Russia’s aggression against Ukraine.
- African Initiative: Amplifies pro-Russian propaganda in Africa.
Such sanctions aim to curb Russia’s cyber influence, but the increasing frequency of campaigns like those by UAC-0125 underscores the need for collective international action against cyber threats.
About CERT-UA
CERT-UA (Computer Emergency Response Team of Ukraine) is a national cybersecurity authority focused on detecting and mitigating cyber threats. Learn more about their work here.
Rounding Up
The revelation that UAC-0125 exploits Cloudflare Workers to spread malware via fake Army+ websites serves as a stark reminder of the evolving cyber threat landscape.
With connections to Sandworm and the abuse of trusted platforms, this attack emphasizes the need for continuous vigilance, robust cybersecurity measures, and international collaboration to combat such sophisticated campaigns.
FAQs
What is UAC-0125?
- UAC-0125 is a Russia-backed hacking group associated with Sandworm (UAC-0002) targeting Ukrainian entities.
How does UAC-0125 use Cloudflare Workers?
- The group uses Cloudflare Workers to host fake websites mimicking the Army+ app to distribute malware.
What are the consequences of this attack?
- It allows attackers remote access to compromised systems, threatening sensitive military and government operations.
How can organizations defend against such threats?
- Implement endpoint detection systems, conduct regular vulnerability scans, and educate users about phishing risks.
