Keypoints
- CERT-UA attributed a coordinated campaign to UAC-0133 (linked to Sandworm/UAC-0002) targeting ~20 ICS sites in energy, water and heat sectors.
- Attackers used a mix of Windows and Linux tooling: QUEUESEED and GOSSIPFLOW on Windows; LOADGRIP and BIASBOAT (Linux QUEUESEED variant) on Linux hosts.
- Initial access was often via supply-chain compromise of supplier SDRs or by misuse of supplier maintenance access, enabling broad deployment into ICS networks.
- LOADGRIP injected encrypted payloads using the ptrace API; payload decryption depended on a static key combined with the host “machine-id”.
- Attackers achieved lateral movement using compromised SDR machines and web-based tools (WEEVELY, REGEORG.NEO, PIVOTNACCI) and maintained persistence via scheduled tasks and Run registry entries.
- Command-and-control used HTTPS with JSON and GOSSIPFLOW-created SOCKS5 tunnels (Yamux multiplexer); QUEUESEED used RSA+AES for communications and AES for local config storage.
- CERT-UA responded by notifying affected organizations (07–15 Mar 2024), removing malware, constructing incident chronology, hardening server/network configs, and deploying security tech.
MITRE Techniques
- [T1195] Supply Chain Compromise – Compromised supplier software distribution repositories (SDRs) introduced backdoors or vulnerable software into ICS. (‘compromise of at least three “supply chains”‘; ‘SDR, which contained software bookmarks and vulnerabilities’)
- [T1190] Exploit Public-Facing Application – Vulnerabilities in supplier software enabled unauthorized access into ICS environments. (‘during a superficial analysis of the source code, banal vulnerabilities that allow remote code execution (RCE) will be revealed’)
- [T1059] Command and Scripting Interpreter – Use of PHP web shells and tunnels (WEEVELY, REGEORG.NEO, PIVOTNACCI) to execute commands and facilitate lateral movement. (‘a pre-created PHP web shell WEEVELY, a PHP tunnel REGEORG.NEO or PIVOTNACCI were detected’)
- [T1053] Scheduled Task/Job – Persistence achieved by creating scheduled tasks to run backdoors (QUEUESEED dropper created scheduled tasks). (‘dropper that creates a corresponding scheduled task or entry in the “Run” branch of the Windows registry’)
- [T1547] Boot or Logon Autostart Execution – Registry “Run” entries and other autorun items used to persist QUEUESEED on Windows hosts. (‘entry in the “Run” branch of the Windows registry’)
- [T1068] Exploitation for Privilege Escalation – Use of vulnerable supplier software and embedded bookmarks to gain elevated capabilities within ICS systems. (‘software bookmarks and vulnerabilities’ providing initial unauthorized access)
- [T1027] Obfuscated Files or Information – Encryption (RSA+AES, AES128-CBC) used to hide C2 traffic, configs and payloads (QUEUESEED, BIASBOAT, LOADGRIP). (‘Data is transmitted in JSON format and encrypted using RSA+AES’; ‘payload is usually presented in an encrypted form (AES128-CBC)’)
- [T1082] System Information Discovery – QUEUESEED gathers host details (OS, language, user) to inform follow-on actions. (‘Gets basic information about the computer (OS, language, user name)’)
- [T1021] Remote Services (Lateral Movement) – Compromised SDR machines were leveraged for horizontal movement into corporate and ICS networks. (‘criminals used them for horizontal movement and development of cyberattacks in relation to corporate networks of enterprises’)
- [T1071] Application Layer Protocol – C2 over HTTPS with JSON used by QUEUESEED for command and control. (‘HTTPS is used for interaction with the management server’; ‘Data is transmitted in JSON format’)
- [T1090] Proxy (Fallback/Exfiltration) – GOSSIPFLOW provided SOCKS5 proxy functionality and Yamux multiplexing for tunneling. (‘Provides tunnel construction (uses Yamux multiplexer library) and performs SOCKS5 proxy functionality’)
- [T1055] Process Injection – LOADGRIP injected payloads into processes using the ptrace API on Linux. (‘main functionality is launching the payload by injection using the ptrace API’)
- [T1499] Endpoint Denial of Service / Impact – The operational goal was disruption of critical services to amplify physical attacks on infrastructure. (‘to be used to enhance the effect of missile strikes on infrastructure facilities’)
Indicators of Compromise
- [File hashes] Malware and scripts observed – e.g., 50b5582904fe3445… (QUEUESEED dropper crdss.exe), 5ff34c5296a5b170… (bir.elf BIASBOAT decrypted), and 60+ other file hashes.
- [File names] Notable binaries/scripts – e.g., crdss.exe (QUEUESEED dropper), lunose.wll (QUEUESEED), bir.elf (BIASBOAT decrypted), and many additional filenames.
- [Host file paths] Linux/Windows placement – e.g., /etc/init.d/crm.sh, /etc/ld.so.preload, %PROGRAMDATA%Microsoftlunose.wll, and many other system/library and web paths.
- [Scheduled tasks / Registry] Persistence indicators – e.g., C:WindowsSystem32TasksMicrosoftWindowsSens Api and HKCUSoftwareMicrosoftWindowsCurrentVersionRunSens Api.
- [Web shells / scripts] Detected web implants – e.g., meter.php (WEEVELY), settings125.report.php (REGEORG.NEO), jobs.php (PIVOTNACCI), and other PHP implant files.
- [Network IPs / URLs] C2 and infrastructure – e.g., 185.38.150.8 (https://185.38.150.8:443/star/key), 185.153.199.43 (observed in launcher command), and ~20+ additional IPs and URLs (e.g., 165.231.34.106, 178.250.188.114/ubuntu/focal).
CERT-UA’s technical analysis shows attackers gained initial access primarily through compromised supplier SDRs or supplier maintenance access, implanting backdoors in both Windows and Linux automation servers. On Windows hosts attackers used QUEUESEED (C++ backdoor) with RSA+AES-protected HTTPS/JSON C2, registry-stored AES-encrypted command queues keyed to %MACHINEGUID%, and dropper-created scheduled tasks or Run entries for persistence; web-based implants (WEEVELY) and tools such as REGEORG.NEO and PIVOTNACCI were used to maintain remote access and assist lateral movement. On Linux hosts the campaign deployed LOADGRIP (ELF) which decrypts AES128-CBC payloads (key derived from a static constant + host machine-id) and injects them via the ptrace API, typically launching BIASBOAT (ELF, Linux variant of QUEUESEED); binaries were frequently stored under /var/lib/* and init scripts (/etc/init.d/*.sh) and ld.so.preload were used to establish persistence.
Operational tradecraft included use of SDR machines as stepping stones for horizontal movement across corporate/ICS networks, C2 implemented over HTTPS (QUEUESEED) and multiplexed SOCKS5 tunnels (GOSSIPFLOW using Yamux), and encryption to obfuscate configuration and communications. Artifacts observed include scheduled task names (e.g., “Sens Api”), specific file hashes and filenames (crdss.exe, lunose.wll, bir.elf), web shell script names (meter.php, man.php, settings125.report.php), and C2 IPs/URLs (185.38.150.8, 185.153.199.43, 178.250.188.114), all of which can be used for detection and hunting.
CERT-UA’s remediation steps focused on notifying affected sites, removing implants, analyzing and decrypting payloads, reconstructing incident timelines, and hardening server/network configurations (segmentation of supplier SDRs, removing weak autorun entries, and tightening supplier access). Defenders should treat SDRs and supplier-managed automation PCs as high-risk trust boundaries, monitor for the listed file/path/registry/task IOCs, block known C2 IPs/URLs, and audit for indicators of ptrace-based injection and AES-encrypted payload loaders that derive keys from host identifiers.
Read more: https://cert.gov.ua/article/6278706