Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File

  /     /     /  
Publicated : 23/11/2024   Category : security


Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File


The campaign uses a multistage payload-delivery process and various mechanisms for evasion and persistence.



A threat actor is attempting to deploy the Cobalt Strike post-exploit toolkit on Windows systems belonging to users in Ukraine.
The focus of the campaign appears to be to gain complete remote control of targeted systems for future payload deployment and potentially other malicious purposes, researchers at Fortinet said in a blog post this week.
The security vendor
described the threat actor
as using a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as an initial lure. If an unwary user enables the macro, it deploys a dynamic link library (DLL) downloader — obfuscated via the ConfuserEX open source tool — on the victim system.
One of the first things the DLL downloader does is look for the presence of antivirus and other malware detection tools on the compromised system. If the downloader detects the presence of one, it immediately terminates further activity. Otherwise, it uses a Web request to pull the next stage payload from a remote location. The DLL downloader is designed so it can only download the second stage payload on devices located specifically in Ukraine. From there, the downloader then executes a series of steps that results in Cobalt Strike getting deployed on the victim device.
In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability, Fortinet security researcher Cara Lin wrote in the blog. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts, Lin added.
Other evasion and persistence mechanisms include the use of encoded strings in the VBA macro to facilitate the deployment of DLL files, a self-deleting feature to evade detection mechanisms and a DLL injector that employs delaying tactics, and parent process termination mechanisms to evade sandboxes.
These orchestrated maneuvers converge towards the deployment of Cobalt Strike onto targeted endpoints, particularly within the confines of Ukraines geopolitical landscape, Lin said.
The new campaign is similar to numerous others that have targeted individuals and organizations in Ukraine that Fortinet and others have reported in recent years, especially after Russias 2022 invasion. Many of these attacks have involved attempts to disrupt and degrade the capabilities of
Ukraines critical infrastructure
. Others have targeted Ukraines
government and military
entities often in support of
Russian military objectives
in the country.
Cybergroups based in Russia and those working for its military intelligence have often been the primary perpetrators. Their weapons of choice have included everything from noisy data wipers and ransomware to highly sophisticated custom-designed tools such Industroyer that
Russias Sandworm group
used in attacks against Ukraines electric grid.
The new attacks that Fortinet detected recently are not the first involving the use of Cobalt Strike against Ukrainian targets either. In 2022, the security vendor observed another threat actor using a
Ukrainian military-themed Excel document
to deliver Cobalt Strike on systems in Ukraine. Last year, Ukraines Computer Emergency Response Team reported on threat actor UAC-0057 using an XLS file with an embedded macro and a lure image to
deploy Cobalt Strike Beacon and PicassoLoader
malware on victim systems in Ukraine.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File