Cobalt Strike

12637369283?profile=RESIZE_400xFortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file.  The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server.  This attack employs various evasion techniques to ensure successful payload delivery.

Over the past few years, Ukraine has been a significant target due to its geopolitical situation.  The history of these attacks reveals a pattern of increasing complexity and frequency, particularly during periods of geopolitical tension.  For instance, in 2022, FortiGuard Labs reported a campaign using a malicious Excel document themed around the Ukrainian military to deliver a multi-stage Cobalt Strike loader.[1]  

In 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed that UAC-0057 was involved in an attack using a malicious XLS file containing a macro and a lure image to deploy PicassoLoader and Cobalt Strike Beacon on compromised systems.  Below, researchers will explore the technical details of this latest multi-stage attack.

12637369887?profile=RESIZE_584xFigure 1: Attack flow

Excel Document:  The malicious Excel document contains elements in Ukrainian designed to lure the user into enabling its macros.

12637370079?profile=RESIZE_584xFigure 2: Excel document before enabling VBA

Once the VBA macro is enabled, the document switches to sheets related to the calculation of the “amount of budget funds allocated to military units” (translated from “обсягу бюджетних коштів, що спрямовуються до військових частин”).

12637370462?profile=RESIZE_584xFigure 3: Excel document after enabling VBA

The primary function of the VBA macro is to deploy a DLL downloader, which is encoded in HEX. Additionally, most of the strings in the VBA code are HEX-encoded to evade basic string detection mechanisms.

12637370470?profile=RESIZE_710xFigure 4: The "workbook_open()" function

After dropping the DLL file “Ac83faafb23919Ae9.DLl” into “%APPDATA%\VIBErpc\bIn\biN,” the macro creates a shortcut named “ACtIVePRObE” in “%APPDATA%\Microsoft.”  

It then executes the “Shell” command “RunDLL32.EXE shell32.dll, ShellExec_RunDLL '%APPDATA%\Microsoft\ACtIVePRObE.lnk', 0.”  

This LNK file is designed to call regsvr32 to execute the DLL file “Ac83faafb23919Ae9.DLl.”


12637370284?profile=RESIZE_710xFigure 5: Creating the LNK file

12637370293?profile=RESIZE_710xFigure 6: The LNK file


DLL Downloader

The downloader “Ac83faafb23919Ae9.DLl.” is obfuscated with ConfuserEx.

12637370657?profile=RESIZE_710xFigure 7: DLL downloader “Ac83faafb23919Ae9.DLl

First, it examines process names for specific strings: “process hacker,” “avastui,” “aswtoolssvc,” “wsc_proxy,” “procexp,” “overseer,” and “avast svc.”  It terminates the program if it detects a matching process associated with an analysis tool or antivirus software.

12637370492?profile=RESIZE_400xFigure 8: Checking the process names

Once passing the process checking, it constructs a web request to get the next stage payload from the URL “hxxps://goudieelectric[.]shop/cms/svg/6364.2809640e[.]chunk.svg.”

It can only download the required file if the device is located in Ukraine. It then extracts the base64-encoded data in the section that starts with “href=” and XORs it with the hard-coded array. It then generates a random file name and saves the decoded data to the TEMP folder. 

12637371453?profile=RESIZE_584xFigure 9: Constructing a web request

12637371082?profile=RESIZE_584xFigure 10: The SVG file with unsuccessful geolocation verification

12637371653?profile=RESIZE_710xFigure 11: The SVG file with successful geolocation verification

It then executes the decoded file using “rundll32.exe,” followed by a sleep command to wait for the execution to finish.  Once completed, it deletes the decoded file to remove any traces.

12637371481?profile=RESIZE_710xFigure 12: Execute the decoded data

The decoded data is also a .NET DLL file tasked with decrypting the file for the next stage and establishing persistence.

12637371497?profile=RESIZE_710xFigure 13: The decoded file is packed with ConfuserEx

Next, it checks if the targeted file exists.  If not, it creates the file “C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll.”  It then uses the hard-coded key to decrypt the data using an RC4 algorithm and writes the data to the newly created file. 

12637372056?profile=RESIZE_710xFigure 14: Write RC4-decrypted content into new-created file

It then adds the registry value “C:\Windows\System32\regsvr32.exe /s C:\ProgramData\Windows\Containers\BaseImages\9cb03978-56d9-4f38-8f05-d1fdf135f0ab\Files\Windows\System32\ResetEngine.dll” into “SOFTWARE\Microsoft\Widows\CurrentVersion\Run” for persistence and uses InvokeMethod with “Create” to execute the command in the registry.

12637371887?profile=RESIZE_710xFigure 15: Add registry

12637372080?profile=RESIZE_710xFigure 16: Execute the “ResetEngine.dll"

DLL Injector—The file “ResetEngine.dll” serves as the core component for decrypting and injecting the final payload. It uses “NtDelayExecution” to evade the detection of malicious activities within sandboxes. It then iterates to inspect processes and attempts to terminate the parent process, if any, to implement its anti-debugging measures.

12637372260?profile=RESIZE_400xFigure 17: Delay execution and Anti-debug

After the evade detection process, it decrypts the final payload with an AES algorithm.

12637372283?profile=RESIZE_400xFigure 18: Decrypt data

After decryption, it injects the decrypted data into itself and employs various APIs, including “GetCurrentProcessId,” “OpenProcess,” “VirtualAllocEx,” “WriteProcessMemory,” “CreateRemoteThread,” and “WaitForSingleObject” to execute the final Cobalt Strike.

12637372098?profile=RESIZE_710x12637372866?profile=RESIZE_710xFigure 19: Writing Cobalt Strike into memory

The Cobalt Strike Payload - The configuration extraction process involves XOR-ing with 0x2E, allowing us to decipher the hidden information.  By extracting and parsing the configuration, we unveiled the Beacon’s Cobalt Strike Team Server’s (C2) URLs: “hxxps://simonandschuster[.]shop/the-zero-residual-concept/products” and “hxxps://simonandschuster[.]shop/the-zero-residual-concept/sjj-solutions.” 

12637372885?profile=RESIZE_584xFigure 20: Decoded configuration

12637373857?profile=RESIZE_400xFigure 21: Cobalt Strike’s POST request

In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability.  By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts.  Leveraging encoded strings, the VBA conceals crucial import strings, facilitating the deployment of DLL files for persistence and decrypting subsequent payloads.  Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively.

These orchestrated maneuvers converge towards deploying Cobalt Strike onto targeted endpoints, particularly within the confines of Ukraine's geopolitical landscape.  As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins.  Vigilance is paramount regarding suspicious file drops or unfamiliar startup programs within registry settings.



  • goudieelectric[.]shop
  • simonandschuster[.]shop











This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

 Weekly Cyber Intelligence Briefings:

 REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!