Unknown threat actor uses old-school technique to target Ukraine

Researchers have observed a new cyberattack campaign in which an unknown threat actor is targeting Ukraine-based entities intending to deploy Cobalt Strike Beacon.

The attack begins with an email containing a Microsoft Excel attachment that, when opened, asks the recipient to “enable macros in order to view content.” When the user accepts, they are directed to a document that appears to show funds allocated to military units.

However, in the background, the HEX-encoded macro is now beginning a multi-stage process to download Cobalt Strike Beacon from the typo-squatted domain simonandschuster[.]shop and ultimately install it on the victim’s machine.

Cobalt Strike was originally developed and is still maintained as a legitimate pen testing tool, however, it has a long track record of being used by threat actors for malicious purposes.

Source: The Hacker News

Analysis

Embedding malicious macros in Microsoft Office documents has been a popular technique among threat actors looking to deploy malware on target networks. The technique plays on recipients’ tendencies to quickly dismiss any warnings, especially when accessing content of interest.

Furthermore, since content is actually displayed, most users aren’t aware they have done anything wrong, when in fact malware has been discreetly installed on their machine. To help mitigate the risk that this attack vector poses, Microsoft blocked macros by default as of July 2022, however, users can still override this security control.

While there’s no evidence linking Russia to this Cobalt Strike campaign—other than its interest in Ukraine—Russian state-sponsored actors have been observed leveraging malicious macros.

For example, in 2015, the Russian Military Intelligence Directorate (GRU), codenamed APT 28, used this method to target and compromise three separate Ukraine-based power companies in an attack that ultimately led to the loss of electricity to nearly 200,000 Ukrainian households.

Image 1: Screenshot of the malicious macro used by APT 28 during its attack on Ukrainian energy companies.

Furthermore, the use of the domain simonandschuster[.]shop, which imitates the legitimate domain belonging to bookseller Simon and Shuster, is a good reminder for organizations to register all Top-Level Domains (TLD) to prohibit threat actors from using them for malicious activities.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats emanating from Russian and other state-sponsored cyber actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose. Field Effect MDR users are automatically notified when malicious activities associated with these groups are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages organizations to train their employees to recognize phishing emails and scrutinize attachments, especially those containing macros. Organizations may also wish to permanently disable macros for documents received externally.

Finally, Field Effect users are encouraged to submit suspicious emails they receive to our Suspicious Email Analysis Service (SEAS) which will provide them with details regarding any potential threat the email may contain.

Related Articles

• U.S government warns pro-Russian hacktivists targeting critical infrastructure
• APT29 gains access to Microsoft systems and source code
• Russian APT28 hackers exploiting known flaws in latest campaign