www.fortinet.com Open in urlscan Pro
2a05:d014:f3c:6c01:8589:ad97:29df:f3e  Public Scan

Form analysis
1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * FortiGuard Labs Threat Research
   * Industry Trends
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * FortiGuard Labs Threat Research
 * Industry Trends
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





FortiGuard Labs Threat Research


MENACE UNLEASHED: EXCEL FILE DEPLOYS COBALT STRIKE AT UKRAINE

By Cara Lin | June 03, 2024
 * Article Contents
 * Excel Document
 * DLL Downloader
 * DLL Injector
 * The Cobalt Strike Payload
 * Conclusion
 * Fortinet Protections
 * IOCs

By Cara Lin | June 03, 2024

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Compromised machines are under the control of the threat actor
Severity Level: High

FortiGuard Labs has recently identified a sophisticated cyberattack involving an
Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker
uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike"
payload and establish communication with a command and control (C2) server. This
attack employs various evasion techniques to ensure successful payload delivery.

Over the past few years, Ukraine has been a significant target due to its
geopolitical situation. The history of these attacks reveals a pattern of
increasing complexity and frequency, particularly during periods of geopolitical
tension. For instance, in 2022, FortiGuard Labs reported a campaign using a
malicious Excel document themed around the Ukrainian military to deliver a
multi-stage Cobalt Strike loader. In 2023, Ukraine’s Computer Emergency Response
Team (CERT-UA) disclosed that UAC-0057 was involved in an attack using a
malicious XLS file containing a macro and a lure image to deploy PicassoLoader
and Cobalt Strike Beacon on compromised systems.

In this article, we will explore the technical details of this latest
multi-stage attack.


Figure 1: Attack flow


EXCEL DOCUMENT

The malicious Excel document contains elements in Ukrainian designed to lure the
user into enabling its macros.


Figure 2: Excel document before enabling VBA

Once the VBA macro is enabled, the document switches to sheets related to the
calculation of the “amount of budget funds allocated to military units”
(translated from “обсягу бюджетних коштів, що спрямовуються до військових
частин”).


Figure 3: Excel document after enabling VBA

The primary function of the VBA macro is to deploy a DLL downloader, which is
encoded in HEX. Additionally, most of the strings in the VBA code are
HEX-encoded to evade basic string detection mechanisms.


Figure 4: The "workbook_open()" function

After dropping the DLL file “Ac83faafb23919Ae9.DLl” into
“%APPDATA%\VIBErpc\bIn\biN,” the macro creates a shortcut named “ACtIVePRObE” in
“%APPDATA%\Microsoft.” It then uses the “Shell” command to execute “RunDLL32.EXE
shell32.dll,ShellExec_RunDLL '%APPDATA%\Microsoft\ACtIVePRObE.lnk', 0.” This LNK
file is designed to calls regsvr32 to execute the DLL file
“Ac83faafb23919Ae9.DLl.”


Figure 5: Creating the LNK file




Figure 6: The LNK file


DLL DOWNLOADER

The downloader “Ac83faafb23919Ae9.DLl.” is obfuscated with ConfuserEx.


Figure 7: DLL downloader “Ac83faafb23919Ae9.DLl”

First, it examines process names for specific strings: “processhacker,”
“avastui,” “aswtoolssvc,” “wsc_proxy,” “procexp,” “overseer,” and “avastsvc.” If
it detects a matching process associated with an analysis tool or antivirus
software, it terminates the program.


Figure 8: Checking the process names

Once passing the process checking, it constructs a web request to get the next
stage payload from the URL
“hxxps://goudieelectric[.]shop/cms/svg/6364.2809640e[.]chunk.svg.” It can only
download the required file if the device is located in Ukraine. It then extracts
the base64 encoded data in the section that starts with “href=” and XOR it with
the hard-coded array. It then generates a random file name and saves the decoded
data to the TEMP folder. 


Figure 9: Constructing a web request




Figure 10: The SVG file with unsuccessful geolocation verification




Figure 11: The SVG file with successful geolocation verification

It then executes the decoded file using “rundll32.exe,” followed by a sleep
command to wait for the execution to finish. Once completed, it deletes the
decoded file to remove any traces.


Figure 12: Execute the decoded data

The decoded data is also a .NET DLL file tasked with decrypting the file for the
next stage and establishing persistence.


Figure 13: The decoded file is packed with ConfuserEx

Next, it checks if the targeted file exists. If not, it creates the file
“C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll.”
It then uses the hard-coded key to decrypt the data using an RC4 algorithm and
writes the data to the newly created file. 


Figure 14: Write RC4-decrypted content into new-created file

It then adds the registry value “C:\Windows\System32\regsvr32.exe /s
C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll”
into “SOFTWARE\Microsoft\Widows\CurrentVersion\Run” for persistence and uses
InvokeMethod with “Create” to execute the command in the registry.


Figure 15: Add registry




Figure 16: Execute the “ResetEngine.dll"


DLL INJECTOR

The file “ResetEngine.dll” serves as the core component for decrypting and
injecting the final payload. It uses “NtDelayExecution” to evade the detection
of malicious activities within sandboxes. It then iterates to inspect processes
and attempts to terminate the parent process, if any, in order to implement its
anti-debugging measures.


Figure 17: Delay execution and Anti-debug

After the evade detection process is complete, it decrypts the final payload
with an AES algorithm.


Figure 18: Decrypt data

After decryption, it injects the decrypted data into itself and employs various
APIs, including “GetCurrentProcessId,” “OpenProcess,” “VirtualAllocEx,”
“WriteProcessMemory,” “CreateRemoteThread,” and “WaitForSingleObject” to execute
the final Cobalt Strike.






Figure 19: Writing Cobalt Strike into memory


THE COBALT STRIKE PAYLOAD

The configuration extraction process involves XOR-ing with 0x2E, allowing us to
decipher the information hidden within. By extracting and parsing the
configuration, we unveiled the Beacon’s Cobalt Strike Team Server’s (C2) URLs:
“hxxps://simonandschuster[.]shop/the-zero-residual-concept/products” and
“hxxps://simonandschuster[.]shop/the-zero-residual-concept/sjj-solutions.” 


Figure 20: Decoded configuration




Figure 21: Cobalt Strike’s POST request


CONCLUSION

In this sophisticated attack, the assailant employs multi-stage malware tactics
to thwart detection while ensuring operational stability. By implementing
location-based checks during payload downloads, the attacker aims to mask
suspicious activity, potentially eluding scrutiny by analysts. Leveraging
encoded strings, the VBA conceals crucial import strings, facilitating the
deployment of DLL files for persistence and decrypting subsequent payloads.
Furthermore, the self-deletion feature aids evasion tactics, while the DLL
injector employs delaying tactics and terminates parent processes to evade
sandboxing and anti-debugging mechanisms, respectively.

These orchestrated maneuvers converge towards the deployment of Cobalt Strike
onto targeted endpoints, particularly within the confines of Ukraine's
geopolitical landscape. As Office documents provide troves of functionality,
including numerous plugins and scripts, users must exercise utmost caution when
handling files sourced from dubious origins. Vigilance is paramount,
particularly regarding any suspicious file drops or unfamiliar startup programs
within registry settings.


FORTINET PROTECTIONS

The malware described in this report is detected and blocked by FortiGuard
Antivirus as:

VBA/Agent.APO!tr
W32/Injector.S!tr
MSIL/Agent.QTS!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is part of each of these solutions. As
a result, customers who have these products with up-to-date protections are
protected.

The FortiGuard Web Filtering Service blocks the C2 server.

The FortiGuard CDR (content disarm and reconstruction) service can disarm the
malicious macros in the document.

We also suggest that organizations go through Fortinet’s free cybersecurity
training module: Fortinet Certified Fundamentals. This module is designed to
help end users learn how to identify and protect themselves from phishing
attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.


IOCS

Domains

goudieelectric[.]shop

simonandschuster[.]shop

Files

88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b  

815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be  

9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5da69cbce5  

af8104e567c6d614547acb36322ad2ed6469537cd1d78ae1be65fbde1d578abc 

de1bceb00c23e468f4f49a79ec69ec8ad3ed622a3ffc08f84c0481ad0f6f592b  

6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb 

d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf  

d9b16f077cd6e00137ba208031d22fd6423d0ef303883ad4b6f78638693f2044  

Tags:

excel, ukraine, Cobalt Strike


RELATED POSTS

FortiGuard Labs Threat Research

COBALT MALWARE STRIKES USING CVE-2017-11882 RTF VULNERABILITY



FortiGuard Labs Threat Research

ANALYZING MALWARE CODE THAT CRYPTOJACKS SYSTEM TO MINE FOR MONERO CRYPTO



FortiGuard Labs Threat Research

PYTHON INFO-STEALER DISTRIBUTED BY MALICIOUS EXCEL DOCUMENT


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Ransomware Prevention

CONNECT WITH US

 * Fortinet Community
 * Partner Portal
 * Investor Relations
 * Product Certifications

COMPANY

 * About Us
 * Exec Mgmt
 * Careers
 * Training
 * Events
 * Industry Awards
 * Social Responsibility
 * CyberGlossary
 * Sitemap
 * Blog Sitemap

CONTACT US

 * (866) 868-3678

Copyright © 2024 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings


COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * ADVERTISING COOKIES


YOUR PRIVACY

A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information. privacy
policy


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.


PERFORMANCE COOKIES

Performance Cookies


These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.


FUNCTIONAL COOKIES

Functional Cookies


These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.


ADVERTISING COOKIES

Advertising Cookies


These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All



COOKIE SETTINGS

By clicking "Accept All", you are consenting to the use of cookies on your
device to enhance site functionality, analyze site usage, and assist in our
marketing efforts. This includes the use of cookies and similar technologies to
show you personalized advertising on other websites through our partners. To
accept only necessary cookies, select “Reject All.” You can visit the Cookie
Settings link, which contains details on specific cookies, categories, and
preference options. Your choice will apply only to your current browser/device.
Please also see our Privacy Policy for more information on how we process
personal data.privacy policy

Reject All Accept All
Cookie Settings