Ukrainian Firms Under Attack: WinRAR Exploit Unleashes LONEPAGE Malware

The threat actor UAC-0099 has been targeting Ukrainian firms using a high-severity vulnerability in WinRAR to distribute the LONEPAGE malware. The attacks involve phishing messages with HTA, RAR, and LNK file attachments, leading to the deployment of LONEPAGE, a VBS malware capable of retrieving additional payloads. UAC-0099 has gained unauthorized remote access to several dozen computers in Ukraine. The group also utilizes self-extracting archives and ZIP files to exploit the WinRAR vulnerability. The attacks rely on PowerShell and the creation of a scheduled task to execute a VBS file. Additionally, CERT-UA has warned of a new wave of phishing messages attributed to UAC-0050, spreading the Remcos RAT.