Summary:
A sophisticated cyber attack has been detected targeting devices in Ukraine to deploy Cobalt Strike and take control of the compromised systems. Fortinet FortiGuard Labs reported that the attack initiates with a Microsoft Excel file containing an embedded VBA macro that starts the infection process. Security researcher Cara Lin explained that the attacker employs a multi-stage malware strategy to deliver the notorious Cobalt Strike payload and establish communication with a command-and-control server. The attack uses various evasion techniques to ensure successful payload delivery.

Cobalt Strike, a legitimate adversary simulation toolkit developed by Fortra, is commonly used for red teaming operations. However, cracked versions of the software have been extensively exploited by threat actors for malicious purposes. The attack begins with an Excel document that displays content in Ukrainian, urging victims to "Enable Content" to activate macros. This is despite Microsoft blocking macros by default in Microsoft Office as of July 2022. When macros are enabled, the document appears to show information related to military funds allocation. In the background, however, the HEX-encoded macro deploys a DLL-based downloader using the regsvr32 utility. This obfuscated downloader monitors running processes for Avast Antivirus and Process Hacker and terminates itself if it detects either. If no such processes are found, the downloader contacts a remote server to fetch the next-stage encoded payload, proceeding only if the device is geolocated in Ukraine. The decoded file is a DLL that launches another DLL file, an injector crucial for extracting and running the final malware.

The attack culminates in the deployment of a Cobalt Strike Beacon that connects with a C2 server. The attacker employs location-based checks during payload downloads to mask suspicious activity, potentially evading detection by analysts. The VBA conceals crucial import strings with encoded strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads.

Security Officer Comments:
Additionally, the self-deletion feature helps evade detection, while the DLL injector uses delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms. These sophisticated evasion techniques contribute to the attack's success in compromising targeted endpoints in Ukraine.

Suggested Corrections:
IOCs:
https://www.fortinet.com/blog/threa...d-excel-file-deploys-cobalt-strike-at-ukraine

As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins. Vigilance is paramount, particularly regarding any suspicious file drops or unfamiliar startup programs within registry settings.

Link(s):
https://thehackernews.com/2024/06/hackers-use-ms-excel-macro-to-launch.html