The cybersecurity firm Mandiant recently discovered a sophisticated information campaign conducted by UNC1151, targeting several countries including Ukraine, Lithuania, Latvia, and Poland. This campaign involved the use of disinformation tactics to spread malware and compromise the systems of targeted entities.
The attackers behind this campaign employed spam emails containing Excel documents with VBA macros as the primary method of infection. These documents dropped LNK and DLL files onto the targeted systems, with the DLL files being loaded when the LNK files were executed. This method likely led to the infection of the systems, allowing the attackers to gain access and carry out their malicious activities.
What sets this campaign apart from previous ones is the use of an encrypted JPG file as the final payload deployment. In contrast, earlier campaigns utilized encrypted SVG files, hinting at a potential switch to different final payloads such as AgentTesla, Cobalt Strike, or njRAT. This evolution in tactics and payloads showcases the adaptability and sophistication of the UNC1151 threat actors.
In a similar cyber campaign in 2023, Ukrainian and Polish entities were targeted using weaponized Excel and PowerPoint files disguised as legitimate documents. These files contained macros that, once enabled, downloaded and executed obfuscated DLLs or downloaders. The encrypted payloads were concealed within innocent-looking JPG image files, ultimately deploying malware like njRAT, AgentTesla, and Cobalt Strike for information theft and remote system access.
In April 2024, a spearphishing attack specifically targeted the Ukrainian military, sending emails with a compressed archive that included drone images and a malicious Excel spreadsheet with a macro. Upon opening the Excel file and enabling macros, a VBA macro dropped a shortcut file and a malicious DLL onto the targeted systems, initiating a chain of malicious executions disguised as legitimate Windows processes.
The DLL loader, a malicious .NET file, checked for specific processes and modified system security settings before downloading an encrypted DLL from a remote server. The downloaded DLL was decoded and executed using Rundll32.exe, after which the malware removed itself from the system, a deviation from previous campaigns that used Regsvr32.exe and plain strings for malicious operations.
According to Cyble, the tactics, techniques, and procedures (TTP) observed in this year’s attack campaign differ from the previous year’s in terms of final payload deployment. The loader files in 2024 retrieved an encrypted payload from a malicious SVG URL, whereas in the previous year, the payload was in the form of a JPG file. Additionally, the code for downloading the next stage became more complex, utilizing Binder functionality instead of the simpler Assembly.Load function.
The relentless and evolving nature of cyber threats like UNC1151 highlights the importance of robust cybersecurity measures for all organizations. To protect against such sophisticated attacks, it is crucial for entities to stay informed about the latest threat actors and their tactics, as well as implement comprehensive security solutions to safeguard their digital assets from potential breaches.