04 June 2024NewsroomCyber ​​Attack / Malware

A multi-stage malware attack

A new sophisticated cyber attack has been seen targeting the geographical location of Ukraine with the aim of deploying Cobalt Strike and seizing control of compromised hosts.

The attack chain, per Fortinet ForteGuard Labs, includes a Microsoft Excel file that contains an embedded VBA macro to initiate the infection.

“The attacker uses a multistage malware strategy to deliver the infamous ‘Cobalt Strike’ payload and establish communication with the command and control (C2) server,” security researcher Cara Lin said In a report on Monday. “This attack uses a variety of evasion techniques to ensure successful payload delivery.”

Cyber ​​security

Cobalt StrikeDeveloped and maintained by Fortra, is a legitimate adversary simulation toolkit used for raid teaming operations. However, over the years, cracked versions of the software have been widely exploited by malicious actors for malicious purposes.

The starting point of the attack is an Excel document that displays content in Ukraine when launched and prompts the victim to “enable content” to enable the macro. It is worth noting that Microsoft has Blocked macros By default in Microsoft Office by July 2022.

After the macro is activated, the document displays content allegedly related to the amount of funds allocated to military units, while, in the background, the HEX-encoded macro deploys a DLL-based downloader via the register server (Right fr32) utility.

Obfuscated Downloader monitors running processes related to Avast Antivirus and Process Hacker, and immediately kills itself if it detects any.

Assuming no such process is identified, it reaches the remote server to receive the encoded payload of the next step, but only if the device in question is located in Ukraine. A decoded file is a DLL that is primarily responsible for launching another DLL file, an injector critical to extracting and executing the final malware.

Cyber ​​security

The attack mechanism culminates in the deployment of a Cobalt Strike beacon that communicates with the C2 server (“simonandschuster”).[.]Shop”).

“By implementing location-based checks during payload downloads, an attacker aims to hide suspicious activity, potentially avoiding scrutiny by analysts,” Lin said. “By leveraging encoded strings, VBA hides important import strings, helping to deploy DLL files for persistence and decrypt subsequent payloads.”

“Furthermore, the self-deletion feature helps with evasion tactics, while the DLL injector uses delay tactics and terminates the parent process to avoid sandboxing and anti-debugging mechanisms, respectively.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link