Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Compromised machines are under the control of the threat actor
Severity Level: High
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Over the past few years, Ukraine has been a significant target due to its geopolitical situation. The history of these attacks reveals a pattern of increasing complexity and frequency, particularly during periods of geopolitical tension. For instance, in 2022, FortiGuard Labs reported a campaign using a malicious Excel document themed around the Ukrainian military to deliver a multi-stage Cobalt Strike loader. In 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed that UAC-0057 was involved in an attack using a malicious XLS file containing a macro and a lure image to deploy PicassoLoader and Cobalt Strike Beacon on compromised systems.
In this article, we will explore the technical details of this latest multi-stage attack.
The malicious Excel document contains elements in Ukrainian designed to lure the user into enabling its macros.
Figure 2: Excel document before enabling VBA
Once the VBA macro is enabled, the document switches to sheets related to the calculation of the “amount of budget funds allocated to military units” (translated from “обсягу бюджетних коштів, що спрямовуються до військових частин”).
Figure 3: Excel document after enabling VBA
The primary function of the VBA macro is to deploy a DLL downloader, which is encoded in HEX. Additionally, most of the strings in the VBA code are HEX-encoded to evade basic string detection mechanisms.
Figure 4: The "workbook_open()" function
After dropping the DLL file “Ac83faafb23919Ae9.DLl” into “%APPDATA%\VIBErpc\bIn\biN,” the macro creates a shortcut named “ACtIVePRObE” in “%APPDATA%\Microsoft.” It then uses the “Shell” command to execute “RunDLL32.EXE shell32.dll,ShellExec_RunDLL '%APPDATA%\Microsoft\ACtIVePRObE.lnk', 0.” This LNK file is designed to calls regsvr32 to execute the DLL file “Ac83faafb23919Ae9.DLl.”
Figure 5: Creating the LNK file
The downloader “Ac83faafb23919Ae9.DLl.” is obfuscated with ConfuserEx.
Figure 7: DLL downloader “Ac83faafb23919Ae9.DLl”
First, it examines process names for specific strings: “processhacker,” “avastui,” “aswtoolssvc,” “wsc_proxy,” “procexp,” “overseer,” and “avastsvc.” If it detects a matching process associated with an analysis tool or antivirus software, it terminates the program.
Figure 8: Checking the process names
Once passing the process checking, it constructs a web request to get the next stage payload from the URL “hxxps://goudieelectric[.]shop/cms/svg/6364.2809640e[.]chunk.svg.” It can only download the required file if the device is located in Ukraine. It then extracts the base64 encoded data in the section that starts with “href=” and XOR it with the hard-coded array. It then generates a random file name and saves the decoded data to the TEMP folder.
Figure 9: Constructing a web request
Figure 10: The SVG file with unsuccessful geolocation verification
Figure 11: The SVG file with successful geolocation verification
It then executes the decoded file using “rundll32.exe,” followed by a sleep command to wait for the execution to finish. Once completed, it deletes the decoded file to remove any traces.
Figure 12: Execute the decoded data
The decoded data is also a .NET DLL file tasked with decrypting the file for the next stage and establishing persistence.
Figure 13: The decoded file is packed with ConfuserEx
Next, it checks if the targeted file exists. If not, it creates the file “C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll.” It then uses the hard-coded key to decrypt the data using an RC4 algorithm and writes the data to the newly created file.
Figure 14: Write RC4-decrypted content into new-created file
It then adds the registry value “C:\Windows\System32\regsvr32.exe /s C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll” into “SOFTWARE\Microsoft\Widows\CurrentVersion\Run” for persistence and uses InvokeMethod with “Create” to execute the command in the registry.
Figure 16: Execute the “ResetEngine.dll"
The file “ResetEngine.dll” serves as the core component for decrypting and injecting the final payload. It uses “NtDelayExecution” to evade the detection of malicious activities within sandboxes. It then iterates to inspect processes and attempts to terminate the parent process, if any, in order to implement its anti-debugging measures.
Figure 17: Delay execution and Anti-debug
After the evade detection process is complete, it decrypts the final payload with an AES algorithm.
After decryption, it injects the decrypted data into itself and employs various APIs, including “GetCurrentProcessId,” “OpenProcess,” “VirtualAllocEx,” “WriteProcessMemory,” “CreateRemoteThread,” and “WaitForSingleObject” to execute the final Cobalt Strike.
Figure 19: Writing Cobalt Strike into memory
The configuration extraction process involves XOR-ing with 0x2E, allowing us to decipher the information hidden within. By extracting and parsing the configuration, we unveiled the Beacon’s Cobalt Strike Team Server’s (C2) URLs: “hxxps://simonandschuster[.]shop/the-zero-residual-concept/products” and “hxxps://simonandschuster[.]shop/the-zero-residual-concept/sjj-solutions.”
Figure 20: Decoded configuration
Figure 21: Cobalt Strike’s POST request
In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts. Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads. Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively.
These orchestrated maneuvers converge towards the deployment of Cobalt Strike onto targeted endpoints, particularly within the confines of Ukraine's geopolitical landscape. As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins. Vigilance is paramount, particularly regarding any suspicious file drops or unfamiliar startup programs within registry settings.
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
VBA/Agent.APO!tr
W32/Injector.S!tr
MSIL/Agent.QTS!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard Web Filtering Service blocks the C2 server.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.
We also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
Domains
goudieelectric[.]shop
simonandschuster[.]shop
Files
88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b
815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be
9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5da69cbce5
af8104e567c6d614547acb36322ad2ed6469537cd1d78ae1be65fbde1d578abc
de1bceb00c23e468f4f49a79ec69ec8ad3ed622a3ffc08f84c0481ad0f6f592b
6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb
d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf
d9b16f077cd6e00137ba208031d22fd6423d0ef303883ad4b6f78638693f2044