Ukraine Targeted by a Geo-Poli-Cyber™ motivated attack that Exploited a 7-Year-Old Microsoft Office Flaw

Anatomy of a Geo-Poli-Cyber™ motivated attack – Researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.

“By definition, this is a 100% Geo-Poli-Cyber™ motivated attack” said a senior Cyber Survivability executive at the MLi Group.

 “In essence, if you cannot name the threat, you cannot mitigate the threat.” The exert added.

The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file (“signal-2023-12-20-160512.ppsx”) as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app.

“To continue calling it a ‘cyber-attack’, or ‘nation state’ is at the core of why the best in cyber security strategies and solutions continue failing to effectively mitigate risks and threats, or defend national sovereignties, critical infrastructures, and corporate structures,” the expert concluded.

Some technical detail.

That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered two different campaigns that have used the messaging app as a malware delivery vector in the past.

Just last week, the agency disclosed that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as well as open-source programs such as sigtop and tusc to exfiltrate data from computers.

“The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of the U.S. Army for mine clearing blades (MCB) for tanks,” security researcher Ivan Kosarev said. “The PPSX file includes a remote relationship to an external OLE object.”

This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched remote code execution bug in Office that could allow an attacker to perform arbitrary actions upon convincing a victim to open a specially crafted file, to load a remote script hosted on weavesilk[.]space.

The heavily obfuscated script subsequently launches an HTML file containing JavaScript code, which, in turn, sets up persistence on the host via Windows Registry and drops a next-stage payload that impersonates the Cisco AnyConnect VPN client.

The payload includes a dynamic-link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into system memory and awaits for further instructions from a command-and-control (C2) server (“petapixel[.]fun”).

The DLL also packs in features to check if it’s being executed in a virtual machine and evade detection by security software.

Deep Instinct said it could neither link the attacks to a specific threat actor or group nor exclude the possibility of a red teaming exercise. Also unclear is the exact end goal of the intrusion.

“The lure contained military-related content, suggesting it was targeting military personnel,” Kosarev said.

“But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (weavesilk[.]com) and a popular photography site (petapixel[.]com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”

Sandworm Targets Critical Infra in Ukraine

The disclosure comes as CERT-UA revealed that about 20 energy, water, and heating suppliers in Ukraine have been targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is responsible for a bulk of all the disruptive and destructive operations against the country.

The attacks, which aimed to sabotage critical operations, involve the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, in addition to GOSSIPFLOW and LOADGRIP.

While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary written in C that’s used to load BIASBOAT on compromised Linux hosts.

The post Ukraine Targeted by a Geo-Poli-Cyber™ motivated attack that Exploited a 7-Year-Old Microsoft Office Flaw appeared first on Survivability News | Powered By MLi Group.

What Are
Cyber™ Risks?

What Is Geo-Poli-Cyber™?
MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ in 2012. Geo-Poli-Cyber™ hacks are political, ideological, extremist, and ‘religious’ motivated attacks. They are the hacks that cyber security, resiliency and continuity strategies and solutions continue to fail to defend governments and organizations routinely. Key are the destruction/devastation motivated new breed of Geo-Poli-Cyber hackers and lone wolfs who are often directed or backed by not only enemies but presumed allies.
2021 (C) All rights reserved. MLi Group