UAC-0247 Infostealer Campaign Targeting Ukrainian Healthcare: Detection and Hardening Guide

Introduction\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has issued a critical warning regarding active campaigns orchestrated by the threat actor UAC-0247. Observed throughout March and April, these operations specifically target government bodies and municipal healthcare institutions—including clinics and emergency hospitals. The objective is clear: the deployment of malicious software engineered to exfiltrate sensitive data from Chromium-based web browsers and WhatsApp desktop clients.\n\nFor defenders in the healthcare sector, where the integrity of patient data and operational continuity is paramount, this represents a significant risk. The threat actor is actively targeting credentials and session tokens stored within these applications to facilitate lateral movement and data theft. This post provides the technical analysis and defensive instrumentation required to detect and mitigate this specific threat.\n\n### Technical Analysis\n\nThreat Actor: UAC-0247 (Attributed by CERT-UA)\nTarget Sector: Government and Municipal Healthcare (Ukraine)\nTimeframe: Active exploitation observed March – April 2026\nPayload Type: Information Stealer (Infostealer)\n\nAttack Mechanics and Affected Components:\nThe UAC-0247 campaign utilizes infostealer malware capable of parsing local databases and storage files used by end-user applications. The attack chain typically follows an initial compromise vector (often phishing or credential reuse) to drop the payload. Once executed on the endpoint, the malware performs the following actions:\n\n1. Chromium Browser Targeting: The malware targets the Default profile directory of Chromium-based browsers (Google Chrome, Microsoft Edge, Brave, etc.) to locate and steal:\n * Login Data: The SQLite database containing saved passwords.\n * Cookies: The database containing session cookies.\n * Web Data: Autofill data and credit card information.\n * History and Local Storage.\n\n2. WhatsApp Desktop Targeting: The malware queries the WhatsApp Desktop application directory to extract:\n * msgstore.db: The database containing chat history and messages.\n * key files: Encryption keys necessary to decrypt the message database.\n\nExploitation Status:\nThere is no CVE associated with this specific activity; it is an abuse of legitimate application functionality and file storage. The exploitation status is Active and confirmed in-the-wild by CERT-UA.\n\n### Detection & Response\n\nThe following detection logic focuses on the behavioral indicators of this infostealer: unauthorized processes accessing sensitive application data files. A critical detection strategy is to identify when a process other than the legitimate application (e.g., chrome.exe, WhatsApp.exe) attempts to read or copy these specific SQLite database files.\n\n#### Sigma Rules\n\nyaml\n---\ntitle: UAC-0247 Suspicious Chromium Browser Data Access\nid: 8a4b9c1d-55e6-4a22-b12a-9c3e4f5a6b7d\nstatus: experimental\ndescription: Detects unauthorized processes accessing Chromium 'Login Data' or 'Cookies' files, indicative of infostealer activity associated with UAC-0247.\nreferences:\n - https://cert.gov.ua/article/628754\nauthor: Security Arsenal\ndate: 2026/04/06\ntags:\n - attack.credential_access\n - attack.t1555.003\nlogsource:\n category: file_access\n product: windows\ndetection:\n selection:\n TargetFilename|contains:\n - '\\Google\\Chrome\\User Data\\Default\\Login Data'\n - '\\Google\\Chrome\\User Data\\Default\\Cookies'\n - '\\Microsoft\\Edge\\User Data\\Default\\Login Data'\n - '\\Microsoft\\Edge\\User Data\\Default\\Cookies'\n - '\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data'\n filter_main_legit_browser:\n Image|endswith:\n - '\\chrome.exe'\n - '\\msedge.exe'\n - '\brave.exe'\n filter_main_os_tools:\n Image|endswith:\n - '\\explorer.exe'\n - '\\sihost.exe'\n condition: selection and not 1 of filter_main_\nfalsepositives:\n - Legitimate backup software accessing profile data\n - Security tools scanning browser databases\nlevel: high\n---\ntitle: UAC-0247 WhatsApp Desktop Database Access\nid: 2d3e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7a\nstatus: experimental\ndescription: Detects non-Windows or non-WhatsApp processes accessing WhatsApp message stores (msgstore.db) or keys, a tactic observed in UAC-0247 campaigns.\nreferences:\n - https://cert.gov.ua/article/628754\nauthor: Security Arsenal\ndate: 2026/04/06\ntags:\n - attack.collection\n - attack_t1005\nlogsource:\n category: file_access\n product: windows\ndetection:\n selection:\n TargetFilename|contains:\n - '\\WhatsApp\\msgstore.db'\n - '\\WhatsApp\\key'\n - '\\WhatsApp\\cookies.sqlite'\n filter_main_whatsapp:\n Image|endswith:\n - '\\WhatsApp.exe'\n - '\\WhatsAppDesktop.exe'\n filter_main_os_tools:\n Image|endswith:\n - '\\explorer.exe'\n - '\\dllhost.exe'\n - '\\SearchIndexer.exe'\n condition: selection and not 1 of filter_main_\nfalsepositives:\n - Antivirus scans\n - File indexing services\nlevel: high\n\n\n#### KQL (Microsoft Sentinel / Defender)\n\nkql\n// Hunt for suspicious access to Chromium Login Data or Cookies\nDeviceFileEvents\n| where ActionType in ("FileAccessed", "FileRead")\n| where FolderPaths has @"Google\\Chrome\\User Data\\Default" \n or FolderPaths has @"Microsoft\\Edge\\User Data\\Default"\n| where FileName in ("Login Data", "Cookies", "Web Data")\n| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "brave.exe", "explorer.exe", "sihost.exe")\n| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPaths, FileName\n| order by Timestamp desc\n\n\n#### Velociraptor VQL\n\nvql\n-- Hunt for processes attempting to read Chromium or WhatsApp database files\nSELECT * FROM watch_monitoring(\n glob="/Google/Chrome/User Data/Default/Login Data", \n access=READ\n)\nWHERE NOT Name =~ "chrome.exe" \n AND NOT Name =~ "msedge.exe"\n\nSELECT * FROM watch_monitoring(\n glob="/WhatsApp/msgstore.db", \n access=READ\n)\nWHERE NOT Name =~ "WhatsApp.exe" \n AND NOT Name =~ "explorer.exe"\n\n\n#### Remediation Script (PowerShell)\n\npowershell\n<#\n.SYNOPSIS\n Audit and restrict access to sensitive browser and WhatsApp data directories.\n.DESCRIPTION\n This script identifies sensitive directories (Chromium, WhatsApp) in user profiles\n and outputs their current ACLs. It also optionally disables inheritance to force\n explicit access control, preventing low-privilege malware from reading data.\n#>\n\n$SensitivePaths = @(\n "$env:LOCALAPPDATA\\Google\\Chrome\\User Data",\n "$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data",\n "$env:APPDATA\\WhatsApp"\n)\n\nforeach ($Path in $SensitivePaths) {\n if (Test-Path $Path) {\n Write-Host "Checking ACLs for: $Path" -ForegroundColor Cyan\n $Acl = Get-Acl -Path $Path\n $Acl.Access | Where-Object { $.FileSystemRights -match "Read" -or $.FileSystemRights -match "FullControl" } | \n Select-Object IdentityReference, FileSystemRights, AccessControlType, IsInherited | \n Format-Table -AutoSize\n \n # Optional: Uncomment to disable inheritance and remove inherited permissions (Use with caution)\n # $Acl.SetAccessRuleProtection($true, $false)\n # Set-Acl -Path $Path -AclObject $Acl\n # Write-Host "Inheritance disabled for $Path" -ForegroundColor Yellow\n } else {\n Write-Host "Path not found: $Path" -ForegroundColor Gray\n }\n}\n\nWrite-Host "Audit complete. Review output for non-standard users (e.g., Everyone, Authenticated Users)." -ForegroundColor Green\n\n\n### Remediation\n\nTo defend against the UAC-0247 infostealer campaign, healthcare and government entities should implement the following remediation steps immediately:\n\n1. User Education and Phishing Resistance: Since the initial vector often involves social engineering or credential harvesting, reinforce security awareness training specifically regarding suspicious emails and attachments referencing medical supplies or emergency updates.\n\n2. Application Hardening (Browser Isolation):\n * Encourage the use of Incognito/Private mode for accessing sensitive clinical systems, ensuring session data is not written to disk upon closing.\n * Implement Browser Extensions: Force-install enterprise security extensions that manage credentials securely rather than relying on browser-saved passwords.\n\n3. Restrict Desktop Application Usage:\n * Where possible, restrict the use of WhatsApp Desktop to managed mobile devices (MDM) rather than clinical workstations. If desktop usage is mandatory, ensure it runs within a restricted user environment without administrative privileges.\n\n4. Filesystem Permissions (Least Privilege):\n * Modify Access Control Lists (ACLs) on %LOCALAPPDATA%\\Google\\Chrome\\User Data and %APPDATA%\\WhatsApp to prevent read access from processes other than the main executables. This significantly hinders infostealers' ability to dump database files.\n\n5. Detection Deployment: Deploy the provided Sigma rules and KQL queries into your SIEM to generate alerts for any process attempting to access these database files outside of normal operation.\n\n### Related Resources\n\nSecurity Arsenal Healthcare Cybersecurity\nAlertMonitor Platform\nBook a SOC Assessment\nhealthcare Intel Hub