An unknown threat actor targeted government entities in Ukraine in late 2023 using an older Microsoft Office Remote Code Execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial carrier and military vehicles as bait.
The threat actor initiated the attack using a malicious PowerPoint (.PPSX) file sent as an attachment via a message on the secure messaging platform Signal. This file, disguised as an old US Army instruction manual for tank demining blades, actually had a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.
The script ran the CVE-2017-8570 exploit to get RCE, according to a Blog post on Profound Instinct on the attack this week, in an attempt to steal information.
Behind the scenes of a complicated cyber attack
In technical terms, the obfuscated script masqueraded as a Cisco AnyConnect APN configuration and was responsible for setting persistence, decoding, and saving the embedded payload to disk, which occurred in multiple stages to evade detection.
The payload includes a loader/packer dynamic link library (DLL) named “vpn.sessings” that loads a Cobalt Strike Beacon into memory and waits for instructions from the attacker’s command and control (C2) server.
Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the Cobalt Strike penetration testing tool is very commonly used among threat actorsbut this particular beacon uses a custom loader that relies on several techniques that slow down the analysis.
“It is continuously updated to provide attackers with an easy way to move laterally once the initial footprint is set,” he says. “[And] has been implemented in several unique anti-analysis and evasion techniques.”
Vaitzman notes that a severe CVE allowing RCE was found in Cobalt Strike in 2022, and many researchers predicted that threat actors would alter the tool to create open source alternatives.
“Several cracked versions can be found on underground hacking forums,” he says.
Beyond the modified version of Cobalt Strike, he says, the campaign is also notable for the extent to which threat actors continually attempt to disguise their files and activities as legitimate operating system and common application operations, to stay hidden and maintain control. of infected machines for as long as possible. In this campaign, he says, the attackers took this “living off the land” strategy. further.
“This attack campaign shows several masquerading techniques and an intelligent way of persistence that has not yet been documented,” he explains without divulging details.
The malware group has unknown make and model
Ukraine was targeted by multiple threat actors on multiple occasions during the war with Russia, with the Group of sand worms serving as the attacker’s primary cyberattack unit.
But unlike most attack campaigns during the war, the threat lab team was unable to link this effort to any known threat group, which could indicate that it is the work of a new group or a representative of a fully updated toolset of a known threat. actor.
Mayuresh Dani, head of security research at Qualys Threat Research Unit, points out that using geographically disparate sources to help threat actors dispel attribution makes it difficult for security teams to provide targeted protection based on geographic locations .
“The sample was uploaded from Ukraine, the second stage was hosted and registered with a Russian VPS provider and Cobalt beacon [C2] it was recorded in Warsaw, Poland,” he explains.
He says what he found most interesting in the attack chain was the fact that the initial compromise was achieved via the secure app Signal.
“THE Signal Messenger has been widely used by security-focused personnel or those involved in clandestine information sharing, such as journalists,” he notes.
Strengthen your cyber armor with security awareness and patch management
Vaitzman says that because most cyber attacks begin with phishing or soliciting links via email or text, broader employee cyber awareness plays an important role in mitigating such attack attempts.
And for security teams: “We also recommend scanning IoCs provisioned in your network, as well as making sure Office is updated to the latest version,” Vaitzman says.
Callie Guenther, senior manager of cyber threat research at Critical Start, says that from a defense perspective, the reliance on older exploits also highlights the importance of robust patch management systems.
“Furthermore, the sophistication of the attack highlights the need for advanced detection mechanisms that go further signature-based cyber defense approaches,” he says, “by incorporating behavior and anomaly detection to identify modified malicious software.”