Full Report
A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor's targeting beyond Ukraine and into entities supporting the war-torn nation. The activity, which targeted an unnamed entity involved in regional
Analysis Summary
# Threat Actor: UAC-0050 (Mercenary Akula / DaVinci Group)
## Attribution & Identity
* **Actor Identification:** Russia-aligned cybercrime group.
* **Known Aliases:** UAC-0050, DaVinci Group, Mercenary Akula (BlueVoyant designation).
* **Known Associations:** Characterized by CERT-UA as a mercenary group associated with Russian law enforcement agencies, operating under the "Fire Cells" branding.
## Activity Summary
The actor recently targeted an unnamed European financial institution involved in regional development and reconstruction initiatives supporting Ukraine. This represents a potential expansion of targeting beyond Ukraine-centric entities into Western Europe supporting the war-torn nation. The attack leveraged social engineering with legal themes to gain credentials and deploy remote access malware, likely aimed at intelligence gathering or financial theft.
## Tactics, Techniques & Procedures
- **Spear-Phishing:** Delivered via spear-phishing emails using legal themes.
- **Anti-Security Control Bypass:** Hosted malicious payload archives on PixelDrain (a known file-sharing service) to bypass reputation-based security controls.
- **File Staging/Delivery:** Used a multi-layered archive structure: ZIP file containing a RAR archive, which in turn contained a password-protected 7-Zip file.
- **Masquerading:** The final executable used the double extension trick (\*.pdf.exe) to masquerade as a legitimate PDF document.
- **Remote Access Tool Deployment:** Deployed legitimate remote access software (Living Off The Land binaries/tools) to maintain persistent, stealthy access.
- [Specific MITRE ATT&CK IDs were not mentioned in the source text.]
## Targeting
- **Sectors:** Financial Services, Regional Development/Reconstruction.
- **Geography:** Primarily Ukraine, but recent activity shows expansion/probing into Western Europe.
- **Victims:** A senior legal and policy advisor involved in procurement at the targeted European financial institution, indicating a focus on roles with privileged insight into operations.
## Tools & Infrastructure
- **Malware Families Used:** Remote Manipulator System (RMS) (Russian remote desktop software). Previously known to use LiteManager and RemcosRAT.
- **Infrastructure (C2, domains, IPs):**
- **Delivery:** Hosted payload on PixelDrain.
- **Spoofed Domain:** Spoofed a Ukrainian judicial domain for email delivery.
## Implications
This activity signals a strategic shift or expansion by UAC-0050, moving beyond purely domestic Ukrainian targets to actively probe Western European entities that support Ukraine's reconstruction efforts. The objective remains intelligence gathering (similar to Russian state-aligned actors) and potential financial gain. The use of legitimate remote access tools like RMS facilitates stealthy, persistent operations favorable for long-term intelligence gathering.
## Mitigations
- **Email Security:** Implement strict controls and advanced sandboxing for attachments originating from external sources, especially those containing archives or leveraging file-sharing services like PixelDrain for payload delivery.
- **File Execution Control:** Harden endpoint configurations to prevent execution of double-extension files (\*.pdf.exe) or to block execution from temporary/uncommon locations.
- **Application Whitelisting:** Monitor and restrict the execution of legitimate remote administration tools (RMS, LiteManager) unless explicitly permitted for authorized users, as these are often abused for persistence.
- **User Education:** Conduct targeted security awareness training focused on identifying spear-phishing attempts involving legal themes or urgent documentation requests.