UAC-0050 Hacked Thousands Of Emails To Launch Malspam Attack

Threat actors target email addresses, as they provide a way to access personal and confidential information.

Emails often hold valuable data such as financials, login credentials, and personal messages.

The attackers could start different kinds of cyber-attacks and propagate malware via compromised email addresses.

Cybersecurity researcher Will (@BushidoToken) recently discovered that threat actors from UAC-0050 (aka DaVinci Group) have been actively targeting and hacking thousands of email addresses to malspam campaigns.

UAC-0050 Hacked Thousands

CERT-UA reported on 22 Feb 2024 linking UAC-0050 to “The DaVinci Group,” a Russian-speaking mercenary org tied to Russian law enforcement. 

UAC-0050 has been targeting Ukrainian organizations since the 2022 Russian invasion. 

Besides this, it’s been attributed to 15 malspam campaigns, acting as initial access brokers for threat groups like Sandworm and Fancy Bear.

Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely
• Set up virtual machine in Linux and all Windows OS versions
• Work in a team
• Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
Analyze malware in ANY.RUN for free

They deliver five malware families purchased with Bitcoin from underground cybercriminals, including Remcos RAT and Quasar RAT. 

CERT-UA shared artifacts like file paths and domains tied to UAC-0050 on various occasions by providing insight into their activities.

The DaVinci Group has been actively launching malspam attacks against Ukrainian targets since at least 2017.

They have targeted government ministries, local authorities, the military, and civilians with tens of thousands of harvested email addresses. 

Using tactics like posing as judicial authorities or security services, they distribute malicious attachments like Remcos RAT or RemoteUtilities RMM tools to deceive victims. 

Their evolving strategies show a concerning level of sophistication and persistence in their cyber operations.

CERT-UA’s artifacts and DaVinci’s website mix-up became crucial pivots. The mistake exposed DaVinci operators’ details openly, unraveling their activities effortlessly.

8161[.]uk serves as The DaVinci Group’s primary hub, showcasing their services collection. Not only that, but they also boast access to 150,000 Moscow CCTV cameras.

Since August 25, 2018, the DaVinci Project site has links to domains like davincigroup[.]online.

It connects to social media profiles, including laughable Instagram with bare Russian models showcasing laptops.

DaVinci on Instagram showcased explicit ads and glimpses of hacking and surveillance work.

The clients contact us via Telegram, with multiple business-related accounts listed on their website’s Contact Us page.

Services Offered By DaVinci

Here below, we have mentioned all the services offered:-

• Breaking into WhatsApp/Viber – 350,000 roubles parallel access with correspondence archive.
• VK architecture with remote messages – 500,000 rubles exclusive from VKontakte servers.
• Breaking into TV is from 500,000p.
• Pk/mobile break-in – 150,000p.
• Stealing social network/messenger accounts from 100,000p.
• Gmail archive – 250,000p.
• Corporate mail, 150,000p.
• Withdrawal of info from cellular towers – from 300 000p
• Interception of Internet traffic – from 400,000p
• Monitoring cell phone movements – from 900,000p per week
• Search for stolen cars – 200 000p
• Establishment/elimination of exit/entry ban – 100,000p
• Telegram hacking – 500,000p
• Comprehensive dossiers on Phys. persons – from 20,000 rubles, Legal entity. persons – from 30,000 rubles
• Ministry of Internal Affairs (Russia) requests – from 1500 rubles.
• Interpol Search – from 50,000 rub.
• Europol Search – from 80,000 rub.
• Weapons (Registered weapons on a citizen) Search – from 5,000 rubles.
• Crossing the border Search – from 11,000 rubles.
• Flight Passenger list – from 10,000 rubles.
• Determine data on IP – from 100,000 rubles.
• Bank Account balance (balance) – from 20,000 rubles.
• Addresses of ATMs used by the target – from 30,000 rubles/month
• SMS details with text for 1 month: Any operator in the Russian Federation – from 150,000 rubles.
• Flash, any operator in the Russian Federation (all operators) – from 40,000 rubles.
• Marking call points on the map via BS per month (all operators) – from 10,000 rubles.

CERT-UA reports suggest DaVinci Group mercenaries may aid Russia in targeting Ukraine. Investigating their online presence shows capabilities but a lack of operational security.

DaVinci Group is a low-tier mercenary threat group blurring the lines between cybercrime and the Russian government.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.