Lonepage

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Lonepage is a malicious software (malware) that has been actively utilized by the threat actor UAC-0099 since mid-2022 to compromise Ukrainian entities. This malware, along with others like Clogflag, Seaglow, and Overjam, is used to spy on victims and steal data. The operation employs phishing messages containing HTA, RAR, and LNK file attachments, which lead to the deployment of the Visual Basic Script (VBS) malware Lonepage. Once launched, this malware retrieves additional payloads, including keyloggers and info-stealers. The delivery of Lonepage is made possible through the exploitation of a high-severity flaw in the WinRAR software, identified as CVE-2023-38831. In some attacks, this critical vulnerability was exploited to deliver the Lonepage strain of malware. The last-stage malware in these attacks is Lonepage, which utilizes a PowerShell script to fetch next-stage browser stealer (Thumbchop) and keylogger (Clogflag) payloads. On December 26, 2023, it was reported that UAC-0099 was exploiting this flaw in WinRAR to deliver the Lonepage malware in attacks against Ukraine. The CERT-UA disclosed a cyber espionage campaign last month, targeting state organizations and media representatives in Ukraine. These attacks highlight the continued use of the WinRAR vulnerability to distribute the malicious Lonepage malware, underscoring the ongoing threat posed by this particular flaw.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

WinRAR

Malware

Vulnerability

Exploit

Apt

Ukraine

Exploits

Ukrainian

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-38831	Targets	2	CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil

Source Document References

Information about the Lonepage Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	a year ago	Cyber security week in review: June 9, 2023
CERT-EU	a year ago	PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
CERT-EU	7 months ago	Breaking Cyber News From Cyberint - Cyberint
Securityaffairs	7 months ago	APT group UAC-0099 targets Ukraine exploiting WinRAR flaw
CERT-EU	7 months ago	APT group UAC-0099 targets Ukraine exploiting a WinRAR flaw
CERT-EU	7 months ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	7 months ago	UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware
CERT-EU	7 months ago	WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms
CERT-EU	7 months ago	WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms