According to Ukraine’s Computer Emergency Response Team, attackers are using fake Windows antivirus updates to deploy malware like Cobalt Strike, among others, to Ukrainians using phished emails impersonating the country’s government agencies.
The emails ask the receiver to increase network security by downloading a fake update package about 60MB in size named ‘BitdefenderWindowsUpdatePackage.exe”. The emails link to a French website that offered downloads for the apparent update—the site is offline at the time of writing. Additionally, the MalwareHunterTeam discovered another site acting as the command and control server for the campaign.
Users are asked to install a ‘Windows Update Package’, which downloads and installs the one.exe file from Discord’s CDN on downloading and running this package. This downloaded file is a Cobalt Strike beacon — a powerful penetration testing suite with persistence capabilities.
In the News: Pandora ransomware group hacks automotive giant Denso
More trouble for Ukrainians
The file mentioned above also fetches a Go downloader responsible for fetching and executing a base-64-encoded file that adds a new Windows registry key, ensuring persistence and downloading two additional payloads –the GraphSteel backdoor and Grimplant backdoor.
These two tools combined can do network recon, remote command execution and file operations. Their individual capabilities are as follows.
- Collect hostname, username, IP address.
- Execute commands.
- Steal account credentials.
- Use WebSocket and GraphQL to communicate with the command and control center with AES and base64 encryption.
GrimPlant, on the other hand, can do the following.
- Collect IP address, hostname, OS, username and home directory.
- Execute remote commands and report results back to the attacker.
- Uses gRPC for command and control communication.
There’s not a lot known about these payloads. There’s also a possibility that these might just be known payloads rebranded under a different name.
CERT has attributed the attacks to UAC-0056 with medium confidence. Also known as ‘Lorec53’, this is a Russian threat actor that uses phishing emails and custom backdoors to collect information from Ukrainian organisations. The group had become more active in its phishing distribution and network attacks since December 2021, along with Russia’s increased aggression.
In the News: Facebook has a paedophile problem