Cybersecurity researchers published technical details of a sophisticated targeted cyber operation against Ukraine, exploiting a nearly seven-year-old vulnerability in Microsoft Office software. The attack, discovered by Deep Instinct, involves the use of a malicious PowerPoint slideshow file to deliver the Cobalt Strike tool to compromised systems.

The attack vector primarily relies on a PowerPoint slideshow file titled “signal-2023-12-20-160512.ppsx,” ostensibly shared through the Signal instant messaging app.

According to Deep Instinct Threat Lab's analysis, the malicious file was uploaded from Ukraine to VirusTotal. The PPSX file masquerades as a dated instruction manual for mine clearing blades (MCB) used in US Army tanks, luring unsuspecting victims into opening it.

According to the researchers, the PPSX file includes a remote relationship to an external OLE object. This tactic exploits CVE-2017-8570, a patched memory corruption vulnerability in Microsoft Office, which allows remote code execution via a specially crafted file. The exploit then proceeds to load a remote script hosted on the domain “weavesilk.space.”

Next, an obfuscated script embedded within the malicious payload triggers the execution of an HTML file containing JavaScript code. This code is used to establish persistence on the compromised host through manipulation of the Windows Registry. Additionally, the attack deploys a next-stage payload masquerading as the legitimate Cisco AnyConnect VPN client.

The final stage of the attack involves the deployment of a Dynamic Link Library (DLL) named “vpn.sessings,” acting as a loader/packer to inject a Cobalt Strike Beacon into the system's memory. This beacon, awaiting commands from the command-and-control (C&C) server, enables the threat actor to execute arbitrary actions on the compromised system, potentially leading to data exfiltration or further network exploitation.

Deep Instinct did not attribute this campaign to any particular threat actor. However, last week, CERT-UA detailed a malicious campaign targeting Ukrainian government and military, linked to the UAC-0149 threat actor, that has been targeting the Ukrainian Defense Forces with the CookBox malware disseminated through the Signal messaging app. To deploy the malware on the infected systems the attackers exploit a critical WinRAR vulnerability (CVE-2023-38831).