A new sophisticated cyber assault has been reported targeting endpoints geolocated to Ukraine with a goal to launch Cobalt Strike and assume control of the compromised hosts.
The attack chain, says Fortinet FortiGuard Labs, utilizes a Microsoft Excel file that has an embedded VBA macro to launch the infection,
"The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload and establish communication with a command-and-control (C2) server," security researcher Cara Lin wrote in a Monday study. "This attack employs various evasion techniques to ensure successful payload delivery."
Cobalt Strike, created and maintained by Fortra, is a genuine adversary simulation toolset used for red teaming operations. However, throughout the years, cracked versions of the program have been frequently used by threat actors for malevolent objectives.
The beginning point of the attack is the Excel document that, when started, shows material in Ukrainian and asks the victim to "Enable Content" in order to activate macros. It's worth mentioning that Microsoft has banned macros by default in Microsoft Office as of July 2022.
Once macros are enabled, the document reportedly presents text pertaining to the amount of funding assigned to military units, while, in the background, the HEX-encoded macro installs a DLL-based downloader via the register server (regsvr32) program.
The disguised downloader watches running processes for those associated to Avast Antivirus and Process Hacker, and instantly terminates itself if it identifies one.
Assuming no such process is found, it goes out to a remote server to acquire the next-stage encoded payload but only if the device in question is situated in Ukraine. The decoded file is a DLL that is largely responsible for launching another DLL file, an injector vital to extracting and executing the final virus.
The assault approach culminates in the deployment of a Cobalt Strike Beacon that makes communication with a C2 server ("simonandschuster[.]shop").
"By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts," Lin added. "Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads."
"Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively."
