A sophisticated cyber onslaught has recently targeted endpoints within Ukraine, aiming to deploy Cobalt Strike and commandeer the compromised systems.
According to Fortinet FortiGuard Labs, the assault sequence starts with a Microsoft Excel file embedded with a VBA macro designed to trigger the infection.
“The adversary employs a multi-tiered malware tactic to deliver the notorious ‘Cobalt Strike’ payload and establish a link with a command-and-control (C2) server,” noted security researcher Cara Lin in a Monday report. “This operation utilizes various evasion techniques to ensure the payload’s successful deployment.”
Cobalt Strike, created and managed by Fortra, is a legitimate tool for adversary simulation used in red teaming exercises. However, unauthorized versions of the software have been extensively misused by cybercriminals for nefarious purposes over the years.
The attack is initiated by the Excel document which, upon opening, displays content in Ukrainian and prompts the victim to “Enable Content” to activate macros. Notably, Microsoft has disabled macros by default in Microsoft Office as of July 2022.
Upon enabling macros, the document ostensibly shows content related to military funding allocations. Simultaneously, the HEX-encoded macro deploys a DLL-based downloader through the regsvr32 utility.
The obfuscated downloader monitors active processes for Avast Antivirus and Process Hacker, terminating itself if either is detected.
If no such processes are found, the downloader reaches out to a remote server to retrieve the next-stage encoded payload, contingent upon the device being located in Ukraine. The decoded file is a DLL tasked with launching another DLL, an injector vital for extracting and executing the final malware.
The culmination of the attack is the deployment of a Cobalt Strike Beacon, which establishes communication with a C2 server (“simonandschuster[.]shop”).
“By incorporating location-based checks during payload downloads, the attacker seeks to obscure suspicious activity, potentially evading detection by analysts,” Lin explained. “Encoded strings within the VBA conceal critical import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads.”
“Additionally, the self-deletion feature enhances evasion tactics, while the DLL injector employs delaying strategies and terminates parent processes to avoid sandboxing and anti-debugging mechanisms,” Lin added.