A brand new subtle cyber assault has been noticed concentrating on endpoints geolocated to Ukraine with an purpose to deploy Cobalt Strike and seize management of the compromised hosts.
The assault chain, per Fortinet FortiGuard Labs, entails a Microsoft Excel file that carries an embedded VBA macro to provoke the an infection,
“The attacker uses a multi-stage malware strategy to deliver the notorious ‘Cobalt Strike’ payload and establish communication with a command-and-control (C2) server,” safety researcher Cara Lin mentioned in a Monday report. “This attack employs various evasion techniques to ensure successful payload delivery.”
Cobalt Strike, developed and maintained by Fortra, is a authentic adversary simulation toolkit used for purple teaming operations. Nonetheless, through the years, cracked variations of the software program have been extensively exploited by menace actors for malicious functions.
The place to begin of the assault is the Excel doc that, when launched, shows content material in Ukrainian and urges the sufferer to “Enable Content” with the intention to activate macros. It is price noting that Microsoft has blocked macros by default in Microsoft Workplace as of July 2022.
As soon as macros are enabled, the doc purportedly exhibits content material associated to the quantity of funds allotted to navy models, whereas, within the background, the HEX-encoded macro deploys a DLL-based downloader by way of the register server (regsvr32) utility.
The obfuscated downloader screens working processes for these associated to Avast Antivirus and Course of Hacker, and promptly terminates itself if it detects one.
Assuming no such course of is recognized, it reaches out to a distant server to fetch the next-stage encoded payload however provided that the gadget in query is positioned in Ukraine. The decoded file is a DLL that’s primarily liable for launching one other DLL file, an injector essential to extracting and working the ultimate malware.
The assault process culminates within the deployment of a Cobalt Strike Beacon that establishes contact with a C2 server (“simonandschuster[.]shop”).
“By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts,” Lin mentioned. “Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads.”
“Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively.”
