A recent cybersecurity threat has been identified targeting Windows systems belonging to users in Ukraine. According to researchers at Fortinet, the threat actor behind this campaign is aiming to gain complete remote control of the targeted systems for future payload deployment and potentially for other malicious purposes.
The campaign involves the use of a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as the initial lure. If a user enables the macro, it deploys a dynamic link library (DLL) downloader obfuscated via the ConfuserEX tool on the victim’s system. The DLL downloader first checks for the presence of antivirus and other malware detection tools on the compromised system. If detected, it terminates further activity; otherwise, it pulls the next stage payload from a remote location via a Web request. The downloader is designed to download the second stage payload exclusively on devices located in Ukraine, leading to the deployment of Cobalt Strike on the victim’s device.
Fortinet security researcher Cara Lin described the attack as sophisticated, employing multi-stage malware tactics to evade detection and ensure operational stability. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity and evade scrutiny by analysts. Additional evasion and persistence mechanisms include the use of encoded strings in the VBA macro, a self-deleting feature, and a DLL injector with delaying tactics to evade sandboxes.
The pattern of targeting in this campaign mirrors numerous other attacks that have previously targeted individuals and organizations in Ukraine, especially following Russia’s invasion in 2022. Many of these attacks have sought to disrupt and degrade Ukraine’s critical infrastructure, while others have targeted government and military entities in support of Russian military objectives in the country. Cybergroups based in Russia, including those working for its military intelligence, have been the primary perpetrators, utilizing a range of tools from ransomware to custom-designed malware like “Industroyer” in their attacks against Ukraine.
The use of Cobalt Strike against Ukrainian targets is not new, as Fortinet had previously observed similar attacks in 2022 and earlier. Threat actors have been known to use Ukrainian-themed documents to deliver Cobalt Strike malware on systems in Ukraine, highlighting the ongoing threat landscape faced by the country. As cybersecurity threats continue to evolve, organizations and individuals in Ukraine must remain vigilant and adopt robust security measures to safeguard against such malicious activities.