Advanced Persistent Threat (APT) Group UAC-0063 Expands Operations Across Europe
The notorious APT group UAC-0063 has broadened its cyber espionage campaign, leveraging legitimate documents stolen from prior victims to infiltrate and target multiple European embassies. This expansion now includes countries like Germany, the UK, the Netherlands, Romania, and Georgia, with the malicious intent to deploy the well-known HATVIBE malware.
According to Bitdefender's Technical Solutions Director, Martin Zugec, the group initially focused on Central Asia, targeting government bodies and utilizing sophisticated tactics to exfiltrate sensitive data. However, recent reports indicate UAC-0063 has strategically widened its reach to European embassies.
UAC-0063: A Stealthy Threat Group with Deep Ties to Russian Cyber Activity
UAC-0063, first identified by Romanian cybersecurity firm Bitdefender in May 2023, was initially linked to government-targeted campaigns in Central Asia, employing the DownEx malware (also known as STILLARCH). Experts suspect the group is affiliated with Russian state-sponsored cyber operations, particularly APT28, a well-known hacker group.
In late 2023, Ukraine's CERT-UA confirmed the group’s operational timeline, dating back to at least 2021. Their tactics have included using keyloggers, backdoors, and HTML Application scripts (HATVIBE) to exfiltrate confidential data. Recorded Future’s Insikt Group has also documented UAC-0063’s activity in East Asia and Europe, assigning it the threat actor label TAG-110.
Documents Stolen from Kazakhstan Ministry Used for Spear-Phishing Campaigns
In recent months, UAC-0063 has refined its methods, using stolen documents from the Ministry of Foreign Affairs of the Republic of Kazakhstan to spear-phish new targets. These documents facilitated the deployment of HATVIBE malware, enabling further system breaches. Bitdefender’s analysis of this campaign reveals that the malware's end goal was to pave the way for other advanced threats, including DownEx, DownExPyer, and a newly discovered USB data exfiltrator dubbed PyPlunderPlug.
Key Malware and Tools in UAC-0063’s Arsenal
UAC-0063 relies heavily on the DownExPyer malware, which has remained a persistent tool in the group’s operations for over two years. The malware is capable of maintaining a continuous connection with a remote server, receiving commands, collecting system data, and deploying additional payloads.
DownExPyer Malware Functionalities:
- Exfiltrate files with specific extensions to the command-and-control (C2) server
- Send keystroke logs and files to C2 and delete after transmission
- Execute system commands, such as gathering system information
- Enumerate file systems
- Capture screenshots
- Terminate running tasks
The Rise of PyPlunderPlug and Keystroke Logging
In addition to its existing malware arsenal, UAC-0063 has introduced PyPlunderPlug, a USB data exfiltrator that has been observed in an attack targeting a German company. Moreover, Bitdefender found a Python script designed to record keystrokes, which appears to be a precursor to the LOGPIE keylogger previously identified in UAC-0063’s campaigns.
Conclusion: A Threat Actor with Advanced Capabilities
UAC-0063 has evolved into a highly sophisticated threat actor, characterized by its targeted espionage activities and advanced malware capabilities. The stability of DownExPyer, combined with its ability to remain operational and effective for years, underscores the persistence of this group. Their focus on government entities, particularly those aligned with Russian strategic interests, showcases their commitment to long-term cyber espionage operations.
Bitdefender’s Expert Insight
“The stability of DownExPyer's core functionalities over the past two years is a significant indicator of its maturity and likely long-standing presence within the UAC-0063 arsenal,” says Martin Zugec. “Their strategic use of implants like DownExPyer and PyPlunderPlug highlights a clear focus on espionage and intelligence gathering.”
As UAC-0063 continues to expand its reach across Europe, security experts are urging governments and organizations to remain vigilant against this increasingly sophisticated threat actor.
