A new and sophisticated cyber attack targeting endpoints in Ukraine has been observed, aiming to deploy Cobalt Strike and seize control of compromised hosts, according to a report from Fortinet FortiGuard Labs. The attack chain involves the use of a Microsoft Excel file embedded with a VBA macro to initiate the infection process.
“The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload and establish communication with a command-and-control (C2) server,” the researchers explained. “This attack employs various evasion techniques to ensure successful payload delivery.”
The attack starts with a malicious Excel document, designed with elements in Ukrainian to lure users into enabling its macros. Once the macro is enabled, it deploys a DLL downloader that scans running processes for specific strings associated with analysis tools and antivirus software, such as "processhacker," "avastui," "aswtoolssvc," "wsc_proxy," "procexp," "overseer," and "avastsvc." If any of these are detected, the downloader terminates the associated process to avoid detection.
Upon passing the process checking stage, the downloader constructs a web request to retrieve the next stage payload, extracting base64 encoded data and saving the decoded data to the TEMP folder with a randomly generated file name. The decoded file is then executed using "rundll32.exe," followed by a sleep command to wait for execution to finish. Once completed, the decoded file is deleted to remove any traces of the infection.
The decoded data itself is a .NET DLL file tasked with decrypting the subsequent stage and establishing persistence within the infected system. The file named "ResetEngine.dll" decrypts and injects the final payload while using the "NtDelayExecution" function to evade detection in sandbox environments. It iterates through processes, attempting to terminate any parent processes to implement anti-debugging measures.
After evading detection, the malware decrypts the final payload using the AES algorithm. It then injects the decrypted data into itself and employs various APIs, including "GetCurrentProcessId," "OpenProcess," "VirtualAllocEx," "WriteProcessMemory," "CreateRemoteThread," and "WaitForSingleObject," to execute the final Cobalt Strike payload.
“In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts. Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads. Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively,” Fortinet noted.