Ukrainian authorities companies have fallen sufferer to a complicated cyberattack marketing campaign orchestrated by the UAC-0001 group, also referred to as APT28, focusing on industrial management programs (ICS) gadgets operating Home windows working programs as servers.
The assaults, which occurred between March and April 2024, signify a major escalation in state-sponsored cyber warfare techniques, demonstrating superior strategies for penetrating crucial infrastructure programs.
The marketing campaign particularly focused the knowledge communication system of a central govt physique, the place attackers efficiently deployed two main malware instruments: BEARDSHELL and SLIMAGENT.
These subtle software program devices have been designed to ascertain persistent entry and conduct intensive surveillance operations inside compromised networks.
The assault methodology employed a multi-stage strategy, starting with social engineering techniques by way of the Sign messaging platform and culminating within the deployment of superior backdoor capabilities.
CERT-UA analysts recognized the technical gadgets throughout their incident response investigation, discovering that the compromised programs have been actively serving as command and management infrastructure for the menace actors.
The researchers famous that the preliminary compromise technique concerned an unidentified individual sending a doc titled “Act.doc” by way of Sign, which contained malicious macros designed to execute upon person interplay.
This supply technique proved significantly efficient because it bypassed conventional electronic mail safety measures and exploited the belief related to Sign communications.
The scope of the assault prolonged past the preliminary March-April 2024 timeframe, with operational intelligence obtained in Could 2025 indicating unauthorized entry to electronic mail accounts throughout the gov.ua area zone.
This revelation suggests a protracted marketing campaign with a number of phases of infiltration and knowledge exfiltration actions.
The attackers demonstrated detailed data of their targets, possessing particular details about the state of affairs throughout the related governmental departments.
An infection Mechanism and Persistence Techniques
The an infection chain employed by UAC-0001 demonstrates outstanding sophistication in its multi-layered strategy to system compromise and persistence.
Upon activation of the malicious Act.doc doc, the embedded macro code executes a fastidiously orchestrated sequence of file creation and registry manipulation operations.
The macro creates two crucial recordsdata: %APPDATApercentmicrosoftprotectctec.dll and %LOCALAPPDATApercentwindows.png, whereas concurrently establishing a COM-hijacking registry key at HKCUSoftwareClassesCLSID{2227A280-3AEA-1069-A2DE-08002B30309D}InProcServer32.
The ctec.dll file serves as the first decryption mechanism, accountable for processing and executing shellcode saved throughout the seemingly innocuous home windows.png file.
This shellcode subsequently launches the COVENANT framework part (ksmqsyck.dx4.exe) immediately into system reminiscence, establishing communication with command and management servers by way of the Koofr service API.
The selection of legit cloud storage companies as communication channels demonstrates the attackers’ dedication to evading community detection mechanisms.
The persistence mechanism depends closely on COM-hijacking strategies, creating extra registry entries to make sure continued entry even after system reboots.
The malware establishes a secondary persistence technique by way of the registry key HKEY_CURRENT_USERSoftwareClassesCLSID{2DEA658F-54C1-4227-AF9B-260AB5FC3543}InProcServer32, which triggers the execution of PlaySndSrv.dll by way of the legit Home windows scheduled process MicrosoftWindowsMultimediaSystemSoundsService.
This system exemplifies the menace actors’ subtle understanding of Home windows system internals and their potential to abuse legit system features for malicious functions.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
