Excel File Deploys Cobalt Strike at Ukraine ??????
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Geopolitical Context ??
Over the past few years, Ukraine has been a significant target due to its geopolitical situation. The history of these attacks reveals a pattern of increasing complexity and frequency, particularly during periods of geopolitical tension. For instance, in 2022, FortiGuard Labs ard Labs reported a campaign using a malicious Excel document themed around the Ukrainian military to deliver a multi-stage Cobalt Strike loader. In 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed that UAC-0057 was involved in an attack using a malicious XLS file containing a macro and a lure image to deploy PicassoLoader and Cobalt Strike Beacon on compromised systems.
Attack Flow Diagram ??
Excel Document ??
The malicious Excel document contains elements in Ukrainian designed to lure the user into enabling its macros. Once the VBA macro is enabled, the document switches to sheets related to the calculation of the “amount of budget funds allocated to military units”.
VBA Macro ??
The primary function of the VBA macro is to deploy a DLL downloader, which is encoded in HEX. Additionally, most of the strings in the VBA code are HEX-encoded to evade basic string detection mechanisms. After dropping the DLL file “Ac83faafb23919Ae9.DLl” into “%APPDATA%\VIBErpc\bIn\biN,” the macro creates a shortcut named “ACtIVePRObE” in “%APPDATA%\Microsoft.” It then uses the “Shell” command to execute “RunDLL32.EXE shell32.dll,ShellExec_RunDLL '%APPDATA%\Microsoft\ACtIVePRObE.lnk', 0.”
??? DLL Downloader ???
?? DLL Injector????
The file “ResetEngine.dll” serves as the core component for decrypting and injecting the final payload. It uses “NtDelayExecution” to evade detection of malicious activities within sandboxes and implements anti-debugging measures.
After the evade detection process is complete, it decrypts the final payload with an AES algorithm and injects it into itself to execute the final Cobalt Strike.
?? Cobalt Strike Payload ??
The configuration extraction process involves XOR-ing with 0x2E to decipher the information hidden within. By extracting and parsing the configuration, we unveiled the Beacon’s Cobalt Strike Team Server’s (C2) URLs.
领英推荐
??? Conclusion ???
In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts. Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads. Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively. These orchestrated maneuvers converge towards the deployment of Cobalt Strike onto targeted endpoints, particularly within the confines of Ukraine's geopolitical landscape. As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins. Vigilance is paramount, particularly regarding any suspicious file drops or unfamiliar startup programs within registry settings.
????Fortinet Protections ????
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard Web Filtering Service blocks the C2 server. The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.
We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals.
IOCs ????
1. Domains:
2. Files:?????
Special thanks to FortiGuard Labs for their detailed analysis and continuous efforts in cybersecurity research.
#CyberAttack #ExcelMalware #CobaltStrike #Infosec #CybersecurityAlert #StaySecure #SecurityAwareness #CyberThreat #CyberDefense #ProtectYourData #InfosecCommunity #firefighter #CybersecurityExpert #ThreatIntelligence #MalwareAnalysis #UkraineUnderAttack #Cyberwarfare #Cybercrime #DigitalSecurity #CyberSecurity #ThreatIntelligence #FortiGuardLabs #CobaltStrike #CyberAttack #InfoSec #MalwareAnalysis #Ukraine
Hope this is helpful!
Engineer/Fady Yousef
Network Security Engineer
IT Solution & Cybersecurity Architect | MBA | CEO CodeCybear
8 个月Office files are often used to execute malicious code and infect organizations with ransomware. Our solution, CodeCybear, helps safeguard against threats that antivirus might miss. Interested in learning more? Check out CodeCybear.com