Description
A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication with a command and control server. The attack targeted Ukraine, leveraging location-based payload downloads and encoded strings to conceal crucial import strings and facilitate deployment of DLL files for persistence and payload decryption. The self-deleting feature and DLL injector with anti-debugging mechanisms aimed to evade detection, ultimately leading to the execution of Cobalt Strike on compromised endpoints in Ukraine.
Date
| Published | Created | Modified |
|---|---|---|
| June 4, 2024, 5:24 p.m. | June 4, 2024, 5:24 p.m. | June 4, 2024, 5:31 p.m. |
Indicators
d9b16f077cd6e00137ba208031d22fd6423d0ef303883ad4b6f78638693f2044
de1bceb00c23e468f4f49a79ec69ec8ad3ed622a3ffc08f84c0481ad0f6f592b
d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf
af8104e567c6d614547acb36322ad2ed6469537cd1d78ae1be65fbde1d578abc
9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5da69cbce5
88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b
6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb
815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be
Attack Patterns
PicassoLoader
Cobalt Strike - S0154
T1211
T1064
T1574.002
T1059.005
T1059.003
T1059.001
T1027.005
T1059.007
T1497
T1486
T1055
T1027
T1059
Additional Informations
Government
Ukraine