UAC-0001 Hackers Target ICS Devices Running Windows-Based Server Systems

The national team for responding to cyber incidents, CERT-UA, has exposed a sophisticated cyberattack targeting the information and communication system (ICS) of a central executive body in March-April 2024.

During the implementation of response measures, a technical device running a Windows operating system, functioning as a server, was found to be compromised with two malicious software tools: BEARDSHELL and SLIMAGENT.

BEARDSHELL, developed in C++, facilitates the downloading, decryption (using chacha20-poly1305), and execution of PowerShell scripts while uploading resulting data through the Icedrive service API.

CERT-UA Uncovers Sophisticated Cyber Threat

It uniquely identifies each affected system by creating a directory named with a hash (hash64_fnv1a) of the computer name and hardware profile GUID.

SLIMAGENT, also coded in C++, focuses on capturing screenshots, encrypting them with AES+RSA, and storing them locally in the TEMP directory with a timestamped filename format.

While the initial method of compromise remained unclear during the early investigation, the detected files were promptly shared with trusted security vendors and cyber threat researchers for further analysis.

Fast forward to May 2025, when operational intelligence from ESET flagged unauthorized access to an email account within the gov.ua domain.

CERT-UA, in collaboration with the Center for Cyber Security of Information and Telecommunications Systems of military unit A0334, launched a comprehensive response.

Investigation Reveals Advanced Malware

A subsequent computer-technical investigation unearthed additional malicious components, including a module of the COVENANT framework and the BEARDSHELL backdoor, alongside critical insights into the initial attack vector.

The attackers employed a malicious document named “Act.doc,” delivered via Signal, which contained a macro designed to execute upon activation.

This macro created two files ctec.dll and windows.png and modified the Windows registry for persistence through COM-hijacking techniques, ensuring the malicious payload loaded upon explorer.exe restarts.

The ctec.dll decrypts shellcode from windows.png, ultimately launching a COVENANT component (ksmqsyck.dx4.exe) in memory, which uses the Koofr service API as a control channel.

Further, COVENANT facilitated the download of additional malicious files, including PlaySndSrv.dll and sample-03.wav, leading to the deployment of the BEARDSHELL backdoor through additional registry manipulations and scheduled tasks.

The success of this cyber threat, attributed to the notorious UAC-0001 (APT28) group, hinges on several factors: the ability to execute macros, inadequate host security controls over Signal as a delivery mechanism, and the abuse of legitimate service APIs like Icedrive and Koofr for command and control.

CERT-UA recommends heightened monitoring of network interactions with domains such as app.koofr.net and api.icedrive.net to mitigate further risks.

This incident underscores the evolving sophistication of cyber threats targeting critical infrastructure and the urgent need for robust security measures to protect sensitive systems.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates