A sophisticated threat cluster tracked as UAC-0212 has escalated efforts to compromise critical infrastructure systems in Ukraine, according to a recent advisory from CERT-UA (Government Computer Emergency Response Team of Ukraine).
These attacks, active since July 2024, focus on energy, water supply, grain logistics, and transportation sectors through coordinated supply-chain compromises.
The group employs destructive payloads, advanced persistence mechanisms, and novel evasion techniques to disrupt industrial control systems (ICS) and operational technology (OT).
UAC-0212 operates as a subcluster of the notorious UAC-0002 (Sandworm/APT44) group, blending traditional cyberespionage with destructive objectives.
Initial infection vectors involve phishing emails containing weaponized PDF documents. These PDFs disguise malicious LNK files (CV_Vitaliy_Klymenko_22.11.2024.pdf.lnk) that exploit CVE-2024-382, a critical Windows vulnerability enabling arbitrary PowerShell command execution.
Computer Emergency Response Team of Ukraine noted that upon activation, these files download decoy documents while deploying modular malware such as SECONDBEST, EMPIREPAST, and SPARK in the background.
The attackers leverage legitimate network protocols like RSYNC (C:WindowsMicrosoftRsyncrsync.exe) for lateral movement and data exfiltration.
Persistent footholds are established through registry modifications (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSystemZ_611) and startup scripts (%APPDATA%MicrosoftWindowsStart MenuProgramsStartupupdater.vbs).
Attack Chain and Malware Toolset
The infection chain begins with a malicious PDF containing obfuscated PowerShell commands. For instance, the following snippet employs XOR-based payload decryption and connects to 62.113.238.72 for command-and-control (C2):-
powershell JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBmAGUAbQB1AG4AZABlAG4AZwBlAHIAZABh... [truncated] JABTAHQAcgBpAG4AZwBSAGEAbgBkAG8AbQBGAG8AbABkAGUAcgAgAD0AIABHAGUAdAAtAFIAYQBuA... [truncated]
Key payloads include:-
- SECONDBEST: A GoLang-based loader that deploys CROOKBAG (SHA256:
9bdf252eec4cf8a32cd92be3568e6187e80a80ecc5c528439312fb263cda8905). - EMPIREPAST: A DLL sideloader (
ssowoface.dll, SHA256:1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a) mimicking legitimate software updates. - SPARK: A remote access trojan (RAT) communicating with 154.222.245.165** over TCP/443.
Infrastructure targeting includes Ukrainian logistics firms specializing in hazardous material transport and grain storage systems. The attackers exfiltrate engineering schematics and ICS credentials to facilitate downstream attacks.
CERT-UA urges critical infrastructure operators to audit suspicious registry entries, monitor RSYNC traffic, and block the following IOCs:-
- IP Addresses: 91.232.31.178, 185.220.101.104, 45.200.185.5
- File Hashes:
1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a(EMPIREPAST),bf3b92423ec8109b38cc4b27795624b65665a1f3a6a18dab29613d4415b4aa18(SPARK).
Organizations are advised to prioritize network segmentation and enforce application allowlisting for PowerShell.
As UAC-0212 reuses compromised credentials for lateral movement, CERT-UA recommends rotating all administrative passwords and deploying endpoint detection for anomalous LNK file activity.
The agency warns that mere “antivirus scans” or OS reinstalls are insufficient, as attackers rapidly establish backup persistence mechanisms.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here