Pirated software causes malware infection in Ukrainian utility company

A recent cyber incident in Ukraine has shown that threat actors don’t always need to be too clever when it comes to spreading their malicious wares — sometimes, all you need to rely on is a user taking an ill-advised shortcut.

This is exactly what happened when a worker at an un-named Ukrainian utility company felt they needed a copy of Microsoft Office. Only instead of going through a secure route of acquisition for the software, they downloaded a pirated version of the productivity suite from a popular Ukrainian torrent site.

Unfortunately, when the pirated copy of Office was installed, two pieces of malware were installed alongside it — the DWAgent remote admin tool and the DarkCrystal remote access trojan.

The incident took place in January, leading to the threat actor behind the malware — dubbed UAC-0145 by the Computer Emergency Response Team of Ukraine (CERT-UA) — having access to the utility’s systems between 1 January and 22 March 2023.

============

“It should be noted that this vector of primary compromise is not the first time,” CERT-UA said in a statement. “In addition to Microsoft Office software products, there are known cases of infection, including when installing operating systems downloaded from unofficial sources, as well as other programs (scanners, password recovery tools, etc.).”

CERT-UA has not said anything about the activity of the threat actor once it did have access to the company’s network.

In the past, CERT-UA has linked the DarkCrystal RAT to the GRU-linked Sandworm hacking group, though that group does have its own unique identifier — UAC-0113.

Russia’s illegal invasion of Ukraine saw a wave of cyber attacks unleashed on both Ukraine and the EU, and many other eastern European countries. According to Thales’ 2022-2023: A year of Cyber Conflict in Ukraine report, Ukraine has suffered 162 distributed denial-of-service attack (DDoS) attacks alone, which makes up three-quarters of all cyber incidents in the region.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.