New Multi-Stage Malware Targets Windows Users in Ukraine

Written by

Security researchers have recently identified a highly sophisticated cyber-attack targeting Microsoft Windows systems in Ukraine. 

The attack, described in a FortiGuard Labs advisory published yesterday, leverages an Excel file embedded with a VBA macro to deploy a malicious DLL file, ultimately delivering the notorious “Cobalt Strike” payload. 

This advanced multi-stage malware strategy allows attackers to establish communication with a command-and-control (C2) server while employing various evasion techniques to ensure the successful deployment of the payload.

FortiGuard Labs highlighted a pattern of increasing complexity and frequency in attacks against Ukraine over the last few years, particularly during periods of heightened geopolitical tension. In 2022, a campaign using a malicious Excel document themed around the Ukrainian military was reported, which also aimed to deliver a multi-stage Cobalt Strike loader. 

In 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) revealed that a threat group, UAC-0057, utilized a similar malicious XLS file containing a macro and lure image to deploy PicassoLoader and Cobalt Strike Beacon on compromised systems.

Read more on similar attacks: New Threat Actor Launches Cyber-attacks on Ukraine and Poland

The latest identified attack starts with an Excel document designed to lure users into enabling its macros. Once the macros are enabled, the document’s VBA code drops a DLL downloader encoded in HEX and creates a shortcut file to execute the DLL. 

This downloader is obfuscated with ConfuserEx, which checks for analysis tools and antivirus software before constructing a web request to download the next stage payload, ensuring the device is located in Ukraine.

The downloaded file is executed and self-deletes to remove traces. It then decrypts and saves the necessary data to establish persistence by adding registry values and employing anti-debugging measures. The final stage involves decrypting and injecting the Cobalt Strike payload, which communicates with C2 servers using XOR-encoded data.

“As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins,” Fortinet warned. “Vigilance is paramount, particularly regarding any suspicious file drops or unfamiliar startup programs within registry settings.”

Image credit: monticello / Shutterstock.com

What’s hot on Infosecurity Magazine?