Excel File Deploys Cobalt Strike at Ukraine

June 4, 2024, 5:31 p.m.

Description

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication with a command and control server. The attack targeted Ukraine, leveraging location-based payload downloads and encoded strings to conceal crucial import strings and facilitate deployment of DLL files for persistence and payload decryption. The self-deleting feature and DLL injector with anti-debugging mechanisms aimed to evade detection, ultimately leading to the execution of Cobalt Strike on compromised endpoints in Ukraine.

External References

https://www.fortinet.com/blog/threat-research/menace-unleashed-excel-file-deploys-cobalt-strike-at-ukraine
https://otx.alienvault.com/pulse/665f4dc3547b904617f6a4c8
Tags
malware
evasion
ukraine
2024-06-04
excel

Date

  • Created: June 4, 2024, 5:24 p.m.
  • Published: June 4, 2024, 5:24 p.m.
  • Modified: June 4, 2024, 5:31 p.m.

Indicators

  • d9b16f077cd6e00137ba208031d22fd6423d0ef303883ad4b6f78638693f2044
  • de1bceb00c23e468f4f49a79ec69ec8ad3ed622a3ffc08f84c0481ad0f6f592b
  • d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf
  • af8104e567c6d614547acb36322ad2ed6469537cd1d78ae1be65fbde1d578abc
  • 9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5da69cbce5
  • 88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b
  • 6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb
  • 815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be
  • simonandschuster.shop
  • goudieelectric.shop
Download all indicators here!

Attack Patterns

  • PicassoLoader
  • Cobalt Strike - S0154

Additional Informations

  • Government
  • Ukraine