An advanced threat cluster identified as UAC-0212 has intensified efforts to breach vital infrastructure systems in Ukraine, as per a recent alert from CERT-UA (Government Computer Emergency Response Team of Ukraine).
Since July 2024, these assaults have been targeting energy, water distribution, grain transit, and transportation industries by executing synchronized supply-chain breaches.
The faction utilizes harmful payloads, sophisticated persistence mechanisms, and innovative evasion strategies to disrupt industrial control systems (ICS) and operational technology (OT).
UAC-0212 functions as a subgroup of the infamous UAC-0002 (Sandworm/APT44) assembly, weaving conventional cyberespionage with damaging goals.
The initial intrusion vectors comprise phishing emails loaded with weaponized PDF documents. These PDFs camouflage malicious LNK files (CV_Vitaliy_Klymenko_22.11.2024.pdf.lnk) that exploit CVE-2024-382, a critical Windows vulnerability that allows arbitrary PowerShell command execution.
The Computer Emergency Response Team of Ukraine observed that once triggered, these files fetch decoy documents while surreptitiously installing modular malware such as SECONDBEST, EMPIREPAST, and SPARK in the background.
The perpetrators utilize legitimate network protocols like RSYNC (C:WindowsMicrosoftRsyncrsync.exe) for lateral traversal and data extraction.
Sustained access points are established through adjustments in registry settings (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSystemZ_611) and launch scripts (%APPDATA%MicrosoftWindowsStart MenuProgramsStartupupdater.vbs).
Incursion Sequence and Malware Armory
The incursion process commences with a malevolent PDF carrying obfuscated PowerShell directives. For instance, the ensuing snippet entails XOR-based payload decryption and links to 62.113.238.72 for command-and-control (C2):-
powershell JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBmAGUAbQB1AG4AZABlAG4AZwBlAHIAZABh... [truncated] JABTAHQAcgBpAG4AZwBSAGEAbgBkAG8AbQBGAG8AbABkAGUAcgAgAD0AIABHAGUAdAAtAFIAYQBuA... [truncated]
Significant payloads include:-
- SECONDBEST: A GoLang-based loader that releases CROOKBAG (SHA256:
9bdf252eec4cf8a32cd92be3568e6187e80a80ecc5c528439312fb263cda8905). - EMPIREPAST: A DLL sideloader (
ssowoface.dll, SHA256:1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a) simulating legitimate software updates. - SPARK: A remote access trojan (RAT) establishing communication with 154.222.245.165** via TCP/443.
The compromised infrastructure encompasses Ukrainian logistics enterprises specialized in transporting hazardous materials and grain reserve systems. The culprits siphon off engineering blueprints and ICS authority to facilitate subsequent assaults.
CERT-UA advises critical infrastructure operators to scrutinize dubious registry entries, monitor RSYNC traffic, and obstruct the subsequent IOCs:-
- IP Addresses: 91.232.31.178, 185.220.101.104, 45.200.185.5
- File Hashes:
1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a(EMPIREPAST),bf3b92423ec8109b38cc4b27795624b65665a1f3a6a18dab29613d4415b4aa18(SPARK).
Businesses are recommended to prioritize network segmentation and enforce application allowlisting for PowerShell.
As UAC-0212 recycles compromised credentials for lateral transversal, CERT-UA suggests rotating all administrative passwords and deploying endpoint detection for abnormal LNK file behaviors.
The agency cautions that mere “antivirus scans” or OS reinstalls fall short, as assailants promptly establish alternative persistence mechanisms.
The post UAC-0212 Hackers Launching Destructive Attack Targeting Critical Infrastructure appeared first on Cyber Security News.