Attacker Loaded DarkCrystal and DWAgent Remote Access Trojans
An employee of a Ukrainian utility company downloaded and installed an unlicensed version of Microsoft Office from a torrent website resulting in two remote access Trojans infecting the company’s systems for two months.
The Computer Emergency Response Team of Ukraine said the pirated version of the Office suite contained the DarkCrystal remote access Trojan and the DWAgent remote administration tool. The two applications provided unauthorized third-party access to the company’s network between Jan. 19 and March 22.
The cybersecurity first responder attributes the Trojans to a group it tracks as UAC-0145. The Ukrainian CERT previously linked DarkCrystal RAT usage to the Sandworm group, the popular Western name for a Russian unit of military intelligence hackers responsible for a slew of destructive computer attacks against Ukraine. Kyiv tracks Sandworm as UAC-0113 (Russian Sandworm APT Adds New Wiper to Its Arsenal).
CERT-UA said torrented software is a common pathway for infection. “In addition to Microsoft Office software products, there are known cases of infection, including when installing operating systems downloaded from unofficial sources, as well as other programs like scanners, password recovery tools, etc.”
Russian state hackers have pummeled Ukraine for nearly a decade now with a notable uptick during the first four months of 2022, around the time of Moscow’s initiation of a war of conquest against Kyiv. The cyber dimension of the conflict has failed to materialize into the cyberwar many predicted, but hacking has been constant. Microsoft recently predicted Russian hackers will boost their use of ransomware, seek initial access to systems and mount additional influence operations (Russia May Be Reviving Cyber Ops Ahead of Spring Offensive).