Skip to main content

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File

posted onJune 5, 2024
by l33tdawg
Dark Reading
Credit: Dark Reading

A threat actor is attempting to deploy the Cobalt Strike post-exploit toolkit on Windows systems belonging to users in Ukraine. The focus of the campaign appears to be to gain complete remote control of targeted systems for future payload deployment and potentially other malicious purposes, researchers at Fortinet said in a blog post this week.

The security vendor described the threat actor as using a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as an initial lure. If an unwary user enables the macro, it deploys a dynamic link library (DLL) downloader — obfuscated via the ConfuserEX open source tool — on the victim system.

One of the first things the DLL downloader does is look for the presence of antivirus and other malware detection tools on the compromised system. If the downloader detects the presence of one, it immediately terminates further activity. Otherwise, it uses a Web request to pull the next stage payload from a remote location. The DLL downloader is designed so it can only download the second stage payload on devices located specifically in Ukraine. From there, the downloader then executes a series of steps that results in Cobalt Strike getting deployed on the victim device.

Source

Tags

Industry News

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th