The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities in order to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cobalt Strike is a paid penetration testing product that allows threat actors to deploy an agent named 'Beacon' on the victim machine. Beacon’ functionality includes (but not limited to) command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.

The observed campaign involves phishing emails with the subject “Зміни оплата праці з нарахуваннями” (“Salary changes with accruals”) with an attachment in the form of a malicious Microsoft Word document, which contains a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of the CVE-2021-40444 and CVE-2022-30190 vulnerabilities, and ultimately leads to the download of Cobalt Strike Beacon onto a compromised computer.

CVE-2021-40444 is an RCE vulnerability within the Windows MSHTML component. It allows a remote hacker to execute code on a victim machine using a specially crafted Office document with a malicious ActiveX control inside.

CVE-2022-30190 is a recently disclosed issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system. At present, there is no fix available for this bug.

CERT-UA’s advisory also includes Indicators of Compromise (IoCs) related to this campaign.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!