Russia-aligned cybercrime group UAC-0050 has expanded its targeting beyond Ukraine, launching a sophisticated social engineering attack against a European financial institution using spoofed domains and RMS malware to facilitate intelligence gathering and potential financial theft.
A Russia-aligned cybercrime group has expanded its operations beyond Ukraine, targeting a European financial institution with a sophisticated social engineering campaign that combines spoofed domains and legitimate remote access software to facilitate intelligence gathering and potential financial theft.
The attack, attributed to UAC-0050 (also known as DaVinci Group), marks a significant shift in the threat actor's targeting strategy. Previously focused primarily on Ukraine-based entities, particularly accountants and financial officers, the group has now turned its attention to institutions supporting Ukraine from Western Europe.
The Attack Vector
The campaign began with a spear-phishing email that spoofed a Ukrainian judicial domain. The email was carefully crafted to appeal to a senior legal and policy advisor involved in procurement at the targeted institution. This role was specifically chosen due to its privileged insight into institutional operations and financial mechanisms.
Recipients were directed to download an archive file hosted on PixelDrain, a file-sharing service frequently used by threat actors to bypass reputation-based security controls. The ZIP file initiated a multi-layered infection chain:
- A RAR archive containing a password-protected 7-Zip file
- An executable masquerading as a PDF document using the double extension trick (*.pdf.exe)
- Deployment of an MSI installer for Remote Manipulator System (RMS)
RMS Malware Deployment
The Remote Manipulator System (RMS) is a Russian remote desktop software that provides attackers with persistent, stealthy access to compromised systems. The tool enables remote control, desktop sharing, and file transfers while often evading traditional antivirus detection due to its legitimate appearance.
"The use of such 'living-off-the-land' tools provides attackers with persistent, stealthy access while often evading traditional antivirus detection," researchers noted in their analysis.
This approach aligns with UAC-0050's established modus operandi. The group has previously deployed legitimate remote access software like LiteManager and remote access trojans such as RemcosRAT in attacks targeting Ukraine.
Attribution and Context
BlueVoyant has designated the name "Mercenary Akula" to this threat cluster, characterizing it as a mercenary group associated with Russian law enforcement agencies. The Computer Emergency Response Team of Ukraine (CERT-UA) has linked UAC-0050 to the Fire Cells branding, noting their involvement in data gathering, financial theft, and information and psychological operations.
The timing of this attack coincides with broader trends in Russian cyber operations. Ukraine has reported that Russian cyber attacks against its energy infrastructure are increasingly focused on intelligence collection to guide missile strikes rather than immediate operational disruption.
Broader Threat Landscape
This incident reflects a larger pattern of Russian-aligned threat actors expanding their targeting beyond immediate conflict zones. CrowdStrike's annual Global Threat Report indicates that Russia-nexus adversaries will continue conducting aggressive operations aimed at intelligence gathering from Ukrainian targets and NATO member states.
One notable example involves APT29 (also known as Cozy Bear and Midnight Blizzard), which has been systematically exploiting trust, organizational credibility, and platform legitimacy in spear-phishing campaigns. The group has successfully compromised or impersonated individuals with whom targeted users maintained trusting professional relationships, including employees from international NGO branches and pro-Ukraine organizations.
"The adversary heavily invested in substantiating these impersonations, using compromised individuals' legitimate email accounts alongside burner communication channels to reinforce authenticity," CrowdStrike reported.
Implications for Financial Institutions
This attack demonstrates the evolving sophistication of state-aligned cybercrime groups and their willingness to target institutions supporting geopolitical adversaries. Financial institutions, particularly those involved in reconstruction and development initiatives in conflict zones, should be aware of the increased risk profile.
The use of legitimate remote access tools like RMS presents a particular challenge for defenders, as these tools can operate undetected by traditional security measures. Organizations should implement additional monitoring for unusual remote access patterns and consider application whitelisting to prevent unauthorized software installation.
The expansion of UAC-0050's targeting beyond Ukraine suggests that institutions supporting Ukraine may face increased cyber threats, requiring enhanced security measures and threat intelligence sharing across the European financial sector.
Comments
Please log in or register to join the discussion