HomeCyber AttacksHackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine

Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine

A brand new refined cyber assault has been noticed concentrating on endpoints geolocated to Ukraine with an purpose to deploy Cobalt Strike and seize management of the compromised hosts.

The assault chain, per Fortinet FortiGuard Labs, includes a Microsoft Excel file that carries an embedded VBA macro to provoke the an infection,

“The attacker makes use of a multi-stage malware technique to ship the infamous ‘Cobalt Strike’ payload and set up communication with a command-and-control (C2) server,” security researcher Cara Lin stated in a Monday report. “This assault employs numerous evasion methods to make sure profitable payload supply.”

Cybersecurity

Cobalt Strike, developed and maintained by Fortra, is a professional adversary simulation toolkit used for pink teaming operations. Nevertheless, over time, cracked variations of the software program have been extensively exploited by risk actors for malicious functions.

The start line of the assault is the Excel doc that, when launched, shows content material in Ukrainian and urges the sufferer to “Allow Content material” as a way to activate macros. It is value noting that Microsoft has blocked macros by default in Microsoft Workplace as of July 2022.

See also  Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

As soon as macros are enabled, the doc purportedly exhibits content material associated to the quantity of funds allotted to army models, whereas, within the background, the HEX-encoded macro deploys a DLL-based downloader through the register server (regsvr32) utility.

The obfuscated downloader displays working processes for these associated to Avast Antivirus and Course of Hacker, and promptly terminates itself if it detects one.

Assuming no such course of is recognized, it reaches out to a distant server to fetch the next-stage encoded payload however provided that the system in query is situated in Ukraine. The decoded file is a DLL that’s primarily accountable for launching one other DLL file, an injector essential to extracting and working the ultimate malware.

Cybersecurity

The assault process culminates within the deployment of a Cobalt Strike Beacon that establishes contact with a C2 server (“simonandschuster[.]store”).

“By implementing location-based checks throughout payload downloads, the attacker goals to masks suspicious exercise, doubtlessly eluding scrutiny by analysts,” Lin stated. “Leveraging encoded strings, the VBA conceals essential import strings, facilitating the deployment of DLL information for persistence and decrypting subsequent payloads.”

See also  Microsoft Defender XDR’s new AI options will block malicious OAuth apps

“Moreover, the self-deletion function aids evasion ways, whereas the DLL injector employs delaying ways and terminates mum or dad processes to evade sandboxing and anti-debugging mechanisms, respectively.”

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular