Friday, December 6, 2024
HomeCyber CrimeUAC-0050 Hacked Thousands Of Emails To Launch Malspam Attack

UAC-0050 Hacked Thousands Of Emails To Launch Malspam Attack

Published on

SIEM as a Service

Threat actors target email addresses, as they provide a way to access personal and confidential information.

Emails often hold valuable data such as financials, login credentials, and personal messages.

The attackers could start different kinds of cyber-attacks and propagate malware via compromised email addresses.

- Advertisement - SIEM as a Service

Cybersecurity researcher Will (@BushidoToken) recently discovered that threat actors from UAC-0050 (aka DaVinci Group) have been actively targeting and hacking thousands of email addresses to malspam campaigns.

UAC-0050 Hacked Thousands

CERT-UA reported on 22 Feb 2024 linking UAC-0050 to “The DaVinci Group,” a Russian-speaking mercenary org tied to Russian law enforcement. 

UAC-0050 has been targeting Ukrainian organizations since the 2022 Russian invasion. 

Besides this, it’s been attributed to 15 malspam campaigns, acting as initial access brokers for threat groups like Sandworm and Fancy Bear.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


They deliver five malware families purchased with Bitcoin from underground cybercriminals, including Remcos RAT and Quasar RAT. 

CERT-UA shared artifacts like file paths and domains tied to UAC-0050 on various occasions by providing insight into their activities.

The DaVinci Group has been actively launching malspam attacks against Ukrainian targets since at least 2017.

They have targeted government ministries, local authorities, the military, and civilians with tens of thousands of harvested email addresses. 

Using tactics like posing as judicial authorities or security services, they distribute malicious attachments like Remcos RAT or RemoteUtilities RMM tools to deceive victims. 

Their evolving strategies show a concerning level of sophistication and persistence in their cyber operations.

DaVinci Group (Source – BushidoToken)

CERT-UA’s artifacts and DaVinci’s website mix-up became crucial pivots. The mistake exposed DaVinci operators’ details openly, unraveling their activities effortlessly.

DaVinci Website (Source – BushidoToken)

8161[.]uk serves as The DaVinci Group’s primary hub, showcasing their services collection. Not only that, but they also boast access to 150,000 Moscow CCTV cameras.

DaVinci Services (Source – BushidoToken)

Since August 25, 2018, the DaVinci Project site has links to domains like davincigroup[.]online.

It connects to social media profiles, including laughable Instagram with bare Russian models showcasing laptops.

DaVinci on Instagram showcased explicit ads and glimpses of hacking and surveillance work.

The clients contact us via Telegram, with multiple business-related accounts listed on their website’s Contact Us page.

Services Offered By DaVinci

Here below, we have mentioned all the services offered:-

  • Breaking into WhatsApp/Viber – 350,000 roubles parallel access with correspondence archive.
  • VK architecture with remote messages – 500,000 rubles exclusive from VKontakte servers.
  • Breaking into TV is from 500,000p.
  • Pk/mobile break-in – 150,000p.
  • Stealing social network/messenger accounts from 100,000p.
  • Gmail archive – 250,000p.
  • Corporate mail, 150,000p.
  • Withdrawal of info from cellular towers – from 300 000p
  • Interception of Internet traffic – from 400,000p
  • Monitoring cell phone movements – from 900,000p per week
  • Search for stolen cars – 200 000p
  • Establishment/elimination of exit/entry ban – 100,000p
  • Telegram hacking – 500,000p
  • Comprehensive dossiers on Phys. persons – from 20,000 rubles, Legal entity. persons – from 30,000 rubles
  • Ministry of Internal Affairs (Russia) requests – from 1500 rubles.
  • Interpol Search – from 50,000 rub.
  • Europol Search – from 80,000 rub.
  • Weapons (Registered weapons on a citizen) Search – from 5,000 rubles.
  • Crossing the border Search – from 11,000 rubles.
  • Flight Passenger list – from 10,000 rubles.
  • Determine data on IP – from 100,000 rubles.
  • Bank Account balance (balance) – from 20,000 rubles.
  • Addresses of ATMs used by the target – from 30,000 rubles/month
  • SMS details with text for 1 month: Any operator in the Russian Federation – from 150,000 rubles.
  • Flash, any operator in the Russian Federation (all operators) – from 40,000 rubles.
  • Marking call points on the map via BS per month (all operators) – from 10,000 rubles.

CERT-UA reports suggest DaVinci Group mercenaries may aid Russia in targeting Ukraine. Investigating their online presence shows capabilities but a lack of operational security.

DaVinci Group is a low-tier mercenary threat group blurring the lines between cybercrime and the Russian government.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...