Cybersecurity researchers have found out a specific procedure towards Ukraine that has been observed leveraging a just about 7-calendar year-aged flaw in Microsoft Place of work to deliver Cobalt Strike on compromised techniques.
The attack chain, which took put at the close of 2023 in accordance to Deep Instinct, employs a PowerPoint slideshow file (“sign-2023-12-20-160512.ppsx”) as the setting up issue, with the filename implying that it could have been shared by using the Signal instant messaging application.
That acquiring mentioned, there is no precise evidence to suggest that the PPSX file was dispersed in this way, even although the Laptop Unexpected emergency Reaction Workforce of Ukraine (CERT-UA) has uncovered two unique campaigns that have employed the messaging app as a malware supply vector in the earlier.
Just previous week, the company disclosed that Ukrainian armed forces are staying ever more focused by the UAC-0184 group through messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as effectively as open up-supply applications this kind of as sigtop and tusc to exfiltrate info from pcs.
“The PPSX (PowerPoint slideshow) file appears to be an previous instruction handbook of the U.S. Military for mine clearing blades (MCB) for tanks,” security researcher Ivan Kosarev claimed. “The PPSX file contains a remote partnership to an exterior OLE object.”
This includes the exploitation of CVE-2017-8570 (CVSS rating: 7.8), a now-patched distant code execution bug in Business office that could let an attacker to conduct arbitrary actions upon convincing a victim to open up a specially crafted file, to load a remote script hosted on weavesilk[.]house.
The heavily obfuscated script subsequently launches an HTML file containing JavaScript code, which, in turn, sets up persistence on the host by means of Windows Registry and drops a future-stage payload that impersonates the Cisco AnyConnect VPN client.
The payload includes a dynamic-url library (DLL) that finally injects a cracked Cobalt Strike Beacon, a legitimate pen-tests tool, right into program memory and awaits for further more instructions from a command-and-control (C2) server (“petapixel[.]exciting”).
The DLL also packs in attributes to check out if it’s getting executed in a virtual machine and evade detection by security program.
Deep Intuition claimed it could neither url the assaults to a particular threat actor or group nor exclude the probability of a red teaming exercise. Also unclear is the precise stop aim of the intrusion.
“The lure contained armed service-related content, suggesting it was concentrating on military services staff,” Kosarev explained.
“But the area names weavesilk[.]place and petapixel[.]enjoyment are disguised as an obscure generative artwork internet site (weavesilk[.]com) and a well known images website (petapixel[.]com). These are unrelated, and it really is a little bit puzzling why an attacker would use these exclusively to fool armed forces staff.”
The disclosure will come as CERT-UA exposed that about 20 power, water, and heating suppliers in Ukraine have been qualified by a Russian condition-sponsored team known as UAC-0133, a sub-cluster inside of Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is liable for a bulk of all the disruptive and destructive functions from the place.
The attacks, which aimed to sabotage critical functions, require the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, as very well as GOSSIPFLOW and LOADGRIP.
Although GOSSIPFLOW is a Golang-based mostly SOCKS5 proxy, LOADGRIP is an ELF binary composed in C that is employed to load BIASBOAT on compromised Linux hosts.
Sandworm is a prolific and hugely adaptive threat group joined to Unit 74455 within just the Main Directorate of the Normal Workers of the Armed Forces of the Russian Federation (GRU). It is acknowledged to be lively due to the fact at least 2009, with the adversary also tied to a few hack-and-leak hacktivist personas this kind of as XakNet Workforce, CyberArmyofRussia_Reborn, and Solntsepek.
“Sponsored by Russian armed forces intelligence, APT44 is a dynamic and operationally experienced threat actor that is actively engaged in the complete spectrum of espionage, attack, and impact functions,” Mandiant claimed, describing the highly developed persistent danger (APT) as engaged in a multi-pronged effort and hard work to assist Russia attain a wartime edge considering the fact that January 2022.
“APT44 operations are worldwide in scope and mirror Russia’s vast ranging national interests and ambitions. Designs of action around time show that APT44 is tasked with a vary of diverse strategic priorities and is hugely very likely viewed by the Kremlin as a versatile instrument of ability able of serving the two enduring and rising intelligence prerequisites.”
Found this report intriguing? Abide by us on Twitter and LinkedIn to study far more special information we publish.
Some parts of this article are sourced from:
thehackernews.com