Lonepage

Malware updated 7 months ago (2024-05-04T21:18:04.704Z)

Download STIX

Preview STIX

Lonepage is a malicious software (malware) that has been actively utilized by the threat actor UAC-0099 since mid-2022 to compromise Ukrainian entities. This malware, along with others like Clogflag, Seaglow, and Overjam, is used to spy on victims and steal data. The operation employs phishing messages containing HTA, RAR, and LNK file attachments, which lead to the deployment of the Visual Basic Script (VBS) malware Lonepage. Once launched, this malware retrieves additional payloads, including keyloggers and info-stealers. The delivery of Lonepage is made possible through the exploitation of a high-severity flaw in the WinRAR software, identified as CVE-2023-38831. In some attacks, this critical vulnerability was exploited to deliver the Lonepage strain of malware. The last-stage malware in these attacks is Lonepage, which utilizes a PowerShell script to fetch next-stage browser stealer (Thumbchop) and keylogger (Clogflag) payloads. On December 26, 2023, it was reported that UAC-0099 was exploiting this flaw in WinRAR to deliver the Lonepage malware in attacks against Ukraine. The CERT-UA disclosed a cyber espionage campaign last month, targeting state organizations and media representatives in Ukraine. These attacks highlight the continued use of the WinRAR vulnerability to distribute the malicious Lonepage malware, underscoring the ongoing threat posed by this particular flaw.

Description last updated: 2024-05-04T20:32:57.404Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

WinRAR

Malware

Exploit

Phishing

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-38831 Vulnerability is associated with Lonepage. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil	Targets	2

Source Document References

Information about the Lonepage Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber security week in review: June 9, 2023
CERT-EU	a year ago	PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
CERT-EU	a year ago	Breaking Cyber News From Cyberint - Cyberint
Securityaffairs	a year ago	APT group UAC-0099 targets Ukraine exploiting WinRAR flaw
CERT-EU	a year ago	APT group UAC-0099 targets Ukraine exploiting a WinRAR flaw
CERT-EU	a year ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	a year ago	UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware
CERT-EU	a year ago	WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
CERT-EU	a year ago	WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms