In this blog, we shall investigate a Russia-based mercenary group that has appeared in multiple CERT-UA reports after sending waves of spam to Ukrainian organisations. These mercenaries use tried and tested tactics, techniques, and procedures (TTPs) that are low effort, but operationally functional.
This includes use of off-the-shelf
commodity crimeware as well as legitimate remote management and monitoring
(RMM) tools. These mercenaries also are notable as they have low operational
security (OPSEC) and offer their services publicly, to Russians, via Facebook,
Instagram, Telegram, various cybercrime forums, as well as their own websites.
A report by the Computer Emergency
Response Team of Ukraine (CERT-UA) on 22 February 2024 shared a notable
statement of attribution to a threat group tracked as UAC-0050 that CERT-UA has
shared updates on several times already. The CERT-UA team and other security
researchers online believe that UAC-0050 is linked to a Russian-speaking mercenary organization called “The DaVinci Group” or as you will see later on “Agency DaVinci,” or “DaVinci Project.” CERT-UA assessed that
UAC-0050 (The DaVinci Group) has ties to Russian law enforcement and has been
targeting Ukrainian organizations since the beginning of the Russian invasion
of Ukraine in 2022.
CERT-UA say they have attributed at least 15 malicious spam (malspam) campaigns to the DaVinci Group and assess that they are acting as initial access brokers (IABs) for more serious threat groups, potentially the likes of Sandworm (UAC-0082), Fancy Bear (UAC-0028), or Armageddon Group (UAC-0010), among others. The adversaries also are said to deliver up to five different malware families as well, which includes Remcos RAT, Quasar RAT, Venom RAT, RemoteUtilities RMM, and LummaStealer. The notable aspect about these malware families is that they are all off-the-shelf commodity crimeware, which anyone can purchase from the cybercriminal underground with enough Bitcoin.
CERT-UA released several artifacts from malspam campaigns tied to UAC-0050 that are relevant to The DaVinci Group on several occasions:
Active since at least 2017, but potentially earlier, The DaVinci Group (aka UAC-0050) has recently been launching wave
after wave of malspam against Ukrainian targets. Their victims
likely range from government ministries, local authorities, the Ukrainian
military, and civilians caught in the malspam cross fire, analogous to Russia’s
war of aggression itself.
The DaVinci Group (aka UAC-0050)
has harvested (or paid for) tens of thousands of Ukrainian email addresses and,
as described by CERT-UA, uses them to launch malspam campaigns.
In November 2023, emails
sent by DaVinci were delivered to more than 15,000 addresses using a compromised account of one of the judicial
authorities of Ukraine. The subject of the email was “Subpoena” making targets
think they were being investigated by the law, but instead a RAR file attached
to the email contained Remcos RAT instead. Also in November 2023, DaVinci sent
another wave of malspam masquerading as the Security Service of Ukraine, that
also had a RAR file attached containing Remcos RAT.
In January 2024, however, DaVinci modified their mass distribution of emails, this time, posing as the State Special Communications Service and the State Emergency Service of Ukraine, which had a link to Bitbucket or RAR file attached that contained the RemoteUtilities legitimate RMM tool. According to the Bitbucket repo’s stats, the RemoteUtilities RMM tool was staggeringly downloaded more than 3,000 times in less than 12 hours.
The artifacts shared by
CERT-UA were useful to pivot off of, as well as the fact that DaVinci operators
had seemingly made the mistake of mixing up their own website for use during
malspam campaigns. From there, it was simple to pivot and uncover their details
as they were promoted openly:
The domain 8161[.]uk is The DaVinci Group’s main website, whereby they advertise their services, such as hacking people’s email accounts, social media accounts, instant messaging accounts, remote access to PCs, launching Denial of Service (DoS) attacks, wiping files/evidence from other computers, and even they claim to have access to up to 150,000 CCTV cameras in Moscow (see below).
The main “DaVinci Project” website appears to have been around since at least 25 August 2018 and is also connected to other domains such as davincigroup[.]online, groupdavinci[.]online, and davinci-project[.]info.
The website also contains various links to other profiles on social media sites, such as Facebook and Instagram (see below).
The DaVinci Group’s Instagram account also laughably uses absurd marketing tactics such as hiring scantily-clad Russian models to hold up a laptop with their website open. Only in Russia!
On Instagram, DaVinci had many explicit ads like the above, but they also teased some of their actual hacking, surveillance, and private investigation work too. This included services such as deanonymizing people on social networks, searching for stolen cars online, geolocating people, and physical surveillance (disclaimer: these were machine translated from Russian).
The way prospective clients contact The DaVinci Group and acquire their services appears to mainly be via Telegram as they have several Telegram accounts related to conducting businesses and there were on the Contact Us page of their website.
Interestingly, these
semi-professional looking mercenaries advertise a lot on the cybercrime underground
forums and various Telegram group chats too. In their
cybercrime forum posts, their profiles, often called ‘Davinci Assistant’ will
share a list of their services and prices (see below).
The earliest forum post from DaVinci that could be found was from 28 November 2017 on the now defunct Russian-speaking site BestDarkForum[.]cc. Whereby, DaVinci listed their services such as:
To put these prices into
perspective, 100,000 Russian Rubles roughly equals 865 British Pounds. The
official symbol of the Russian currency is ₽, but ‘p’ is also used
colloquially.
A more recent post on the Russian-speaking forum Open
Card, on 22 April 2020, saw the DaVinci group offering a range of other
services, potentially indicating they have insiders or abuse of police powers at
various Russian mobile carriers and telecommunications companies.
Some of these services were as follows:
Data of an individual or legal entity when registering by phone number, you can find out who the mobile phone number is registered to:
Details of calls and SMS of
an individual (without text) without base station addresses:
Access to an individual’s
personal account:
Blocking a phone number:
Additional mobile-hacking
related services:
Other notable services
offered by DaVinci via their Open Card post were as follows:
This type of service offered by DaVinci is also known as "Probiv", which is a Russian-language slang term best translated to English as “look-up”. This is where a customer can provide some info of an individual and can get other personal information associated with the target, for a fee. Acquiring this data is believed to be largely facilitated by corrupt Russian employees using their privileged position to perform searches on internal systems to obtain data requested by the cybercrime forum vendors (in this case, DaVinci), who act as intermediaries.
The reports by CERT-UA on
UAC-0050 lead us to believe that The DaVinci Group mercenaries are potentially
working with Russian government to target Ukraine. From investigating DaVinci’s
services on their websites, social media posts, and cybercrime forum posts, it
appears that they have the capabilities to do so.
However, the sheer lack of
OPSEC by using their own branded website as a command-and-control (C2) server
is unusual. CERT-UA did also note this odd behaviour and mentioned in their
report that The DaVinci Group has “recently been actively trying to draw
attention to themselves” as well.
One hypothesis for this bizarre
activity could be that DaVinci may even be using CERT-UA’s incident reports as
a sort of meta advertising tool to get themselves noticed by Russian intelligence
agencies, trying to win a big contract to act as initial access brokers for Russian APT groups such as Sandworm, Turla, or CozyBear, which are affiliated with the GRU, FSB, and SVR, respectively.
In closing, The DaVinci
Group (UAC-0050) is a low tier mercenary threat group that appears to dabble in
cybercrime and state-sponsored intelligence gathering. The very existence of
this threat group further highlights the blurred lines between cybercrime underground
and the Russian government.