Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File

A threat actor is attempting to deploy the Cobalt Strike post-exploit toolkit on Windows systems belonging to users in Ukraine.

The focus of the campaign appears to be to gain complete remote control of targeted systems for future payload deployment and potentially other malicious purposes, researchers at Fortinet said in a blog post this week.

Ukraine-Themed Document

The security vendor described the threat actor as using a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as an initial lure. If an unwary user enables the macro, it deploys a dynamic link library (DLL) downloader — obfuscated via the ConfuserEX open source tool — on the victim system.

One of the first things the DLL downloader does is look for the presence of antivirus and other malware detection tools on the compromised system. If the downloader detects the presence of one, it immediately terminates further activity. Otherwise, it uses a Web request to pull the next stage payload from a remote location. The DLL downloader is designed so it can only download the second stage payload on devices located specifically in Ukraine. From there, the downloader then executes a series of steps that results in Cobalt Strike getting deployed on the victim device.

"In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability," Fortinet security researcher Cara Lin wrote in the blog. "By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts," Lin added.

Other evasion and persistence mechanisms include the use of encoded strings in the VBA macro to facilitate the deployment of DLL files, a self-deleting feature to evade detection mechanisms and a DLL injector that employs delaying tactics, and parent process termination mechanisms to evade sandboxes.

"These orchestrated maneuvers converge towards the deployment of Cobalt Strike onto targeted endpoints, particularly within the confines of Ukraine's geopolitical landscape," Lin said.

A Pattern of Targeting

The new campaign is similar to numerous others that have targeted individuals and organizations in Ukraine that Fortinet and others have reported in recent years, especially after Russia's 2022 invasion. Many of these attacks have involved attempts to disrupt and degrade the capabilities of Ukraine's critical infrastructure. Others have targeted Ukraine's government and military entities often in support of Russian military objectives in the country.

Cybergroups based in Russia and those working for its military intelligence have often been the primary perpetrators. Their weapons of choice have included everything from noisy data wipers and ransomware to highly sophisticated custom-designed tools such "Industroyer" that Russia's Sandworm group used in attacks against Ukraine's electric grid.

The new attacks that Fortinet detected recently are not the first involving the use of Cobalt Strike against Ukrainian targets either. In 2022, the security vendor observed another threat actor using a Ukrainian military-themed Excel document to deliver Cobalt Strike on systems in Ukraine. Last year, Ukraine's Computer Emergency Response Team reported on threat actor UAC-0057 using an XLS file with an embedded macro and a lure image to deploy Cobalt Strike Beacon and PicassoLoader malware on victim systems in Ukraine.