UAC-0173 is a threat actor group that targets Ukrainian organizations with advanced malware campaigns, specifically using AsyncRAT. This report details their techniques for evading antivirus detection and how defenders can enhance their detection capabilities. Affected: Ukrainian organizations
Keypoints :
- UAC-0173 targets Ukrainian organizations with sophisticated malware, mainly AsyncRAT.
- Abuse.ch’s Malware Bazaar facilitates malware sample sharing for improved cybersecurity.
- Key techniques include anti-analysis through WMI and process-killing capabilities.
- Windows Management Instrumentation (WMI) is utilized extensively for evasion.
- The malware checks for virtual environments to avoid detection.
- It can kill legitimate system processes and antivirus components.
- Malware can identify installed antivirus products and escalate privileges.
- Bypasses Windows Defender using Antimalware Scan Interface (AMSI) manipulation.
- Many samples from UAC-0173 are developed in .NET.
MITRE Techniques :
- Process Discovery (T1057) – Uses CreateToolhelp32Snapshot to identify processes for termination.
- WMI Query (T1047) – Executes WMI queries to retrieve information about antivirus products and system configurations.
- Privilege Escalation (T1068) – Checks for administrative privileges using specific RIDs to determine access levels.
- Windows Management Instrumentation (T1047) – Employs WMI queries to detect virtual environments and evade analysis.
- Bypass User Account Control (T1134) – Modifies AMSI in amsi.dll to evade Windows Defender detection.
Indicator of Compromise :
- MD5 e9cedc98677b6b5146b14009ced7d624
- SHA1 1b6e14e578c613932496bfd49c616760bdceb2c1
- References: hxxps://cert.gov.ua/article/62825362
- References: hxxps://bazaar.abuse.ch/user/18825/
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/asyncrat-in-action-uac-0173s-latest.html