Fortinet researchers have uncovered a series of sophisticated attacks of increased complexity.
Researchers from the company Fortinet recorded a new complex malicious operation aimed at devices in Ukraine. The main goal of attackers is to implement Cobalt Strike and seize control over compromised hosts.
According to security researcher Kara Lin, the attack starts with a malicious Microsoft Excel file containing an embedded VBA script. This script starts a multi-stage infection, which results in communication with the attackers ' C2 server.
Cobalt Strike, created by Fortra, was originally designed to simulate attacks for security verification purposes. However, its hacked versions are actively used by intruders for criminal purposes.
The initial stage of the attack in the considered malicious operation involves an Excel document displayed in Ukrainian. Starting in July 2022, Microsoft blocks macros in Office by default, which adds complexity for attackers. However, over time, hackers have become adept at using social engineering in such a way that the very content of the document prompts the victim to activate macro support.
After enabling macros, it runs the DLL loader in the background via the regsvr32 utility. This loader monitors active processes for Avast Antivirus and Process Hacker. When they are detected, it shuts down.
In the absence of such processes, the loader connects to a remote server to download the next stage of malware, but only if the device is located in Ukraine.
The resulting file is a DLL that runs another DLL file that acts as an injector. This injector is important for extracting and running the final malware. The final stage of the attack involves the deployment of a Cobalt Strike Beacon, which establishes communication with the hackers ' C2 server.
"Geolocation — based checks during the download of payloads allow attackers to hide suspicious activity, avoiding the attention of analysts, "Lin explained."Using encoded strings helps hide important imported strings, making it easier to deploy DLL files and decrypt subsequent loads."
In addition, using the self-destruct function helps to bypass security measures, and the DLL injector applies delays and terminates parent processes to avoid sandbox analysis and anti-debugging mechanisms.
This malicious operation demonstrates a high degree of sophistication and targeting of Ukrainian targets. Attackers use social engineering tactics, geolocation filtering, and antivirus and sandbox bypassing to successfully implement the Cobalt Strike malware.
Researchers from the company Fortinet recorded a new complex malicious operation aimed at devices in Ukraine. The main goal of attackers is to implement Cobalt Strike and seize control over compromised hosts.
According to security researcher Kara Lin, the attack starts with a malicious Microsoft Excel file containing an embedded VBA script. This script starts a multi-stage infection, which results in communication with the attackers ' C2 server.
Cobalt Strike, created by Fortra, was originally designed to simulate attacks for security verification purposes. However, its hacked versions are actively used by intruders for criminal purposes.
The initial stage of the attack in the considered malicious operation involves an Excel document displayed in Ukrainian. Starting in July 2022, Microsoft blocks macros in Office by default, which adds complexity for attackers. However, over time, hackers have become adept at using social engineering in such a way that the very content of the document prompts the victim to activate macro support.
After enabling macros, it runs the DLL loader in the background via the regsvr32 utility. This loader monitors active processes for Avast Antivirus and Process Hacker. When they are detected, it shuts down.
In the absence of such processes, the loader connects to a remote server to download the next stage of malware, but only if the device is located in Ukraine.
The resulting file is a DLL that runs another DLL file that acts as an injector. This injector is important for extracting and running the final malware. The final stage of the attack involves the deployment of a Cobalt Strike Beacon, which establishes communication with the hackers ' C2 server.
"Geolocation — based checks during the download of payloads allow attackers to hide suspicious activity, avoiding the attention of analysts, "Lin explained."Using encoded strings helps hide important imported strings, making it easier to deploy DLL files and decrypt subsequent loads."
In addition, using the self-destruct function helps to bypass security measures, and the DLL injector applies delays and terminates parent processes to avoid sandbox analysis and anti-debugging mechanisms.
This malicious operation demonstrates a high degree of sophistication and targeting of Ukrainian targets. Attackers use social engineering tactics, geolocation filtering, and antivirus and sandbox bypassing to successfully implement the Cobalt Strike malware.
