Ukraine faces another cyberattack: Cobalt Strike deployed via malicious Excel VBA file

Threat actors used a multi-stage malware strategy

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

ukraine cyberattack

In the last few years, Ukraine has become a target of sophisticated cyberattacks targeting critical infrastructure. The latest on the list is an attack aimed at gaining control of the affected systems by deploying Cobalt Strike through a malicious Excel file.

A Fortinet report on the cyberattack, targetting the Microsoft Windows OS, provides us valuable insights into the tactics employed by threat actors and the process of delivering the Cobalt Strike payload to establish communication with the command and control server.

Initially, threat actors sent a malicious Excel file in Ukrainian and deceived end users into enabling the macros. For the unversed, Microsoft, in 2022, had blocked macros by default to prevent such attacks.

Upon enabling the macro, the file took the form of a spreadsheet with the title, Amount of budget funds allocated to military units. The macro then deploys a DLL downloader, which first checks for any instances of an active antivirus on the PC and terminates the process. Now, it goes on to make critical changes to the PC, including downloading payload, adding system files, and modifying the Registry.

Finally, after a series of other complex changes, threat actors deploy Cobalt Strike on affected devices!

The Fortinet report tells us how threat actors deleted all traces of the attack to evade detection. The report says,

In this sophisticated attack, the assailant employs multi-stage malware tactics to thwart detection while ensuring operational stability. By implementing location-based checks during payload downloads, the attacker aims to mask suspicious activity, potentially eluding scrutiny by analysts. Furthermore, the self-deletion feature aids evasion tactics, while the DLL injector employs delaying tactics and terminates parent processes to evade sandboxing and anti-debugging mechanisms, respectively.

Remember, it all started with a harmless-looking Excel file and led to threat actors gaining control of the command and control server. This highlights how a lackadaisical approach on your part when it comes to cybersecurity makes things a lot easier for threat actors. The report sheds light on this aspect as well.

As Office documents provide troves of functionality, including numerous plugins and scripts, users must exercise utmost caution when handling files sourced from dubious origins. Vigilance is paramount, particularly regarding any suspicious file drops or unfamiliar startup programs within registry settings.

Additionally, the report mentions how Fortinet’s FortiGuard Antivirus detects the malware used in the latest cyberattack targeting Ukraine. These are:

  • VBA/Agent.APO!tr
  • W32/Injector.S!tr
  • MSIL/Agent.QTS!tr

In the recent past, there has been an exponential increase in cyber attacks fueled by the emergence of AI. So, as threat actors employ more advanced techniques to deploy malware, it’s critical that you follow the best cyber hygiene practices and start using an effective antivirus solution.

How do you think one could have prevented the latest cyberattack targeting Ukraine? Share with our readers in the comments section.

More about the topics: Cybersecurity, security threats