UAC-0050 Hacked Thousands Of Emails To Launch Malspam Attack

Threat actors target email addresses, as they provide a way to access personal and confidential information.

Emails often hold valuable data such as financials, login credentials, and personal messages.

The attackers could start different kinds of cyber-attacks and propagate malware via compromised email addresses.

Cybersecurity researcher Will (@BushidoToken) recently discovered that threat actors from UAC-0050 (aka DaVinci Group) have been actively targeting and hacking thousands of email addresses to malspam campaigns.

UAC-0050 Hacked Thousands

CERT-UA reported on 22 Feb 2024 linking UAC-0050 to “The DaVinci Group,” a Russian-speaking mercenary org tied to Russian law enforcement. 

UAC-0050 has been targeting Ukrainian organizations since the 2022 Russian invasion. 

Besides this, it’s been attributed to 15 malspam campaigns, acting as initial access brokers for threat groups like Sandworm and Fancy Bear.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..

They deliver five malware families purchased with Bitcoin from underground cybercriminals, including Remcos RAT and Quasar RAT. 

CERT-UA shared artifacts like file paths and domains tied to UAC-0050 on various occasions by providing insight into their activities.

The DaVinci Group has been actively launching malspam attacks against Ukrainian targets since at least 2017.

They have targeted government ministries, local authorities, the military, and civilians with tens of thousands of harvested email addresses. 

Using tactics like posing as judicial authorities or security services, they distribute malicious attachments like Remcos RAT or RemoteUtilities RMM tools to deceive victims. 

Their evolving strategies show a concerning level of sophistication and persistence in their cyber operations.

DaVinci Group (Source – BushidoToken)

CERT-UA’s artifacts and DaVinci’s website mix-up became crucial pivots. The mistake exposed DaVinci operators’ details openly, unraveling their activities effortlessly.

DaVinci Website (Source – BushidoToken)

8161[.]uk serves as The DaVinci Group’s primary hub, showcasing their services collection. Not only that, but they also boast access to 150,000 Moscow CCTV cameras.

DaVinci Services (Source – BushidoToken)

Since August 25, 2018, the DaVinci Project site has links to domains like davincigroup[.]online.

It connects to social media profiles, including laughable Instagram with bare Russian models showcasing laptops.

DaVinci on Instagram showcased explicit ads and glimpses of hacking and surveillance work.

The clients contact us via Telegram, with multiple business-related accounts listed on their website’s Contact Us page.

Services Offered By DaVinci

Here below, we have mentioned all the services offered:-

  • Breaking into WhatsApp/Viber – 350,000 roubles parallel access with correspondence archive.
  • VK architecture with remote messages – 500,000 rubles exclusive from VKontakte servers.
  • Breaking into TV is from 500,000p.
  • Pk/mobile break-in – 150,000p.
  • Stealing social network/messenger accounts from 100,000p.
  • Gmail archive – 250,000p.
  • Corporate mail, 150,000p.
  • Withdrawal of info from cellular towers – from 300 000p
  • Interception of Internet traffic – from 400,000p
  • Monitoring cell phone movements – from 900,000p per week
  • Search for stolen cars – 200 000p
  • Establishment/elimination of exit/entry ban – 100,000p
  • Telegram hacking – 500,000p
  • Comprehensive dossiers on Phys. persons – from 20,000 rubles, Legal entity. persons – from 30,000 rubles
  • Ministry of Internal Affairs (Russia) requests – from 1500 rubles.
  • Interpol Search – from 50,000 rub.
  • Europol Search – from 80,000 rub.
  • Weapons (Registered weapons on a citizen) Search – from 5,000 rubles.
  • Crossing the border Search – from 11,000 rubles.
  • Flight Passenger list – from 10,000 rubles.
  • Determine data on IP – from 100,000 rubles.
  • Bank Account balance (balance) – from 20,000 rubles.
  • Addresses of ATMs used by the target – from 30,000 rubles/month
  • SMS details with text for 1 month: Any operator in the Russian Federation – from 150,000 rubles.
  • Flash, any operator in the Russian Federation (all operators) – from 40,000 rubles.
  • Marking call points on the map via BS per month (all operators) – from 10,000 rubles.

CERT-UA reports suggest DaVinci Group mercenaries may aid Russia in targeting Ukraine. Investigating their online presence shows capabilities but a lack of operational security.

DaVinci Group is a low-tier mercenary threat group blurring the lines between cybercrime and the Russian government.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

2 days ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

2 days ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

2 days ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

2 days ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago