The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding a new cyberattack campaign by the threat group UAC-0245, which is targeting the country with the CABINETRAT backdoor.
Attack Details and Deception
The campaign, first spotted in September 2025, utilizes malicious Excel XLL add-ins. These XLL files pose as legitimate software tools with names like "UBD Request.xll" to trick victims into opening them.
The attackers have also attempted to spread the malicious file "500.zip" via the Signal messaging app, disguising it as a document related to border detention in Ukraine to maximize social engineering effectiveness.
When a victim launches the XLL file, it initiates a complex chain of events:
- It drops several files, including an EXE in the Startup folder and a second XLL ("BasicExcelMath.xll") in the APPDATA directory.
- It modifies the Windows Registry to ensure persistence (runs automatically).
- It starts Excel in a hidden mode and loads the secondary XLL add-in.
- The add-in extracts and executes the CABINETRAT shellcode from a disguised PNG file ("Office.png").
Advanced Evasion Techniques
The attackers built sophisticated anti-analysis checks into the payload and shellcode to avoid detection by security researchers and automated systems. The malware verifies the host system has:
- At least two CPU cores and 3GB of RAM.
- No common virtualization platforms (like VMware or VirtualBox) running, indicating a real machine is likely required for the attack to proceed.
- It also performs checks on the User Security Identifier (SID) and the Process Environment Block (PEB) debug flag.
CERT-UA created the separate identifier UAC-0245 to track this activity, noting the novelty of the tactics and procedures, which differ from known XLL attacks carried out by other groups like UAC−0002.
CABINETRAT Backdoor Capabilities
CABINETRAT is a shellcode-based backdoor written in C that gives the attackers extensive control over the infected machine. It first probes specific ports (a port-knock-like sequence) before connecting to its Command-and-Control (C2) server over TCP.
The backdoor's capabilities include:
- Gathering detailed operating system and installed program information.
- Running arbitrary programs and sending the results back.
- Handling files (sending and receiving files, deleting files/folders).
- Taking screenshots.
- Exfiltrating data, including BIOS GUIDs and OS version info.
The tool uses MSZIP compression for large messages and employs a "Ninja" → "Bonjour" handshake to confirm a connection with the C2 server.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
