Cybersecurity researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.
The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file (“signal-2023-12-20-160512.ppsx”) as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app.
That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered two different campaigns that have used the messaging app as a malware delivery vector in the past.
Just last week, the agency disclosed that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as well as open-source programs such as sigtop and tusc to exfiltrate data from computers.
“The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of the U.S. Army for mine clearing blades (MCB) for tanks,” security researcher Ivan Kosarev said. “The PPSX file includes a remote relationship to an external OLE object.”
This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched remote code execution bug in Office that could allow an attacker to perform arbitrary actions upon convincing a victim to open a specially crafted file, to load a remote script hosted on weavesilk[.]space.
The heavily obfuscated script subsequently launches an HTML file containing JavaScript code, which, in turn, sets up persistence on the host via Windows Registry and drops a next-stage payload that impersonates the Cisco AnyConnect VPN client.
The payload includes a dynamic-link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into system memory and awaits for further instructions from a command-and-control (C2) server (“petapixel[.]fun”).
The DLL also packs in features to check if it’s being executed in a virtual machine and evade detection by security software.
Deep Instinct said it could neither link the attacks to a specific threat actor or group nor exclude the possibility of a red teaming exercise. Also unclear is the exact end goal of the intrusion.
“The lure contained military-related content, suggesting it was targeting military personnel,” Kosarev said.
“But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (weavesilk[.]com) and a popular photography site (petapixel[.]com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”
The disclosure comes as CERT-UA revealed that about 20 energy, water, and heating suppliers in Ukraine have been targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is responsible for a bulk of all the disruptive and destructive operations against the country.
The attacks, which aimed to sabotage critical operations, involve the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, as well as GOSSIPFLOW and LOADGRIP.
While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary written in C that’s used to load BIASBOAT on compromised Linux hosts.
Sandworm is a prolific and highly adaptive threat group linked to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). It’s known to be active since at least 2009, with the adversary also tied to three hack-and-leak hacktivist personas such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek.
“Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations,” Mandiant said, describing the advanced persistent threat (APT) as engaged in a multi-pronged effort to help Russia gain a wartime advantage since January 2022.
“APT44 operations are global in scope and mirror Russia’s wide ranging national interests and ambitions. Patterns of activity over time indicate that APT44 is tasked with a range of different strategic priorities and is highly likely seen by the Kremlin as a flexible instrument of power capable of serving both enduring and emerging intelligence requirements.”