{ "name": "Excel File Deploys Cobalt Strike at Ukraine", "slug": "excel-file-deploys-cobalt-strike-at-ukraine", "description": "A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication with a command and control server. The attack targeted Ukraine, leveraging location-based payload downloads and encoded strings to conceal crucial import strings and facilitate deployment of DLL files for persistence and payload decryption. The self-deleting feature and DLL injector with anti-debugging mechanisms aimed to evade detection, ultimately leading to the execution of Cobalt Strike on compromised endpoints in Ukraine.", "published": "2024-06-04T15:24:19+00:00", "created_at": "2024-06-04T15:24:19+00:00", "modified_at": "2024-06-04T15:31:48+00:00", "created_at_opencti": "2024-06-04T15:24:19+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-04", "evasion", "excel", "malware", "ukraine" ], "related_entities": { "observables": [ { "id": "", "name": "simonandschuster.shop" }, { "id": "", "name": "goudieelectric.shop" }, { "id": "", "name": "d9b16f077cd6e00137ba208031d22fd6423d0ef303883ad4b6f78638693f2044" }, { "id": "", "name": "de1bceb00c23e468f4f49a79ec69ec8ad3ed622a3ffc08f84c0481ad0f6f592b" }, { "id": "", "name": "d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf" }, { "id": "", "name": "af8104e567c6d614547acb36322ad2ed6469537cd1d78ae1be65fbde1d578abc" }, { "id": "", "name": "9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5da69cbce5" }, { "id": "", "name": "88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b" }, { "id": "", "name": "6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb" }, { "id": "", "name": "815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be" } ], "malware": [ { "id": "legacy:malware:c5318341cabbcdca", "name": "PicassoLoader", "slug": "picassoloader" }, { "id": "ab138766-9b64-4880-87fb-1942a709d778", "name": "Cobalt Strike - S0154", "slug": "cobalt-strike-s0154" } ], "attack_patterns": [ { "id": "4abf44e7-0c8c-48fc-9cc5-12fc33f919b6", "name": "T1211" }, { "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d", "name": "T1064" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "45c400ce-708d-4ac2-8ea7-57c971a83ce5", "name": "T1027.005" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Ukraine" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://www.fortinet.com/blog/threat-research/menace-unleashed-excel-file-deploys-cobalt-strike-at-ukraine", "https://otx.alienvault.com/pulse/665f4dc3547b904617f6a4c8" ] }