Skip to content

Fake antivirus updates are deploying CobaltStrike in Ukraine

  • by
  • 2 min read

According to Ukraine’s Computer Emergency Response Team, attackers are using fake Windows antivirus updates to deploy malware like Cobalt Strike, among others, to Ukrainians using phished emails impersonating the country’s government agencies. 

The emails ask the receiver to increase network security by downloading a fake update package about 60MB in size named ‘BitdefenderWindowsUpdatePackage.exe”. The emails link to a French website that offered downloads for the apparent update—the site is offline at the time of writing. Additionally, the MalwareHunterTeam discovered another site acting as the command and control server for the campaign.

Users are asked to install a ‘Windows Update Package’, which downloads and installs the one.exe file from Discord’s CDN on downloading and running this package. This downloaded file is a Cobalt Strike beacon — a powerful penetration testing suite with persistence capabilities. 

In the News: Pandora ransomware group hacks automotive giant Denso

More trouble for Ukrainians

The file mentioned above also fetches a Go downloader responsible for fetching and executing a base-64-encoded file that adds a new Windows registry key, ensuring persistence and downloading two additional payloads –the GraphSteel backdoor and Grimplant backdoor. 

The fake antivirus update downloads the malware. | Source: MalwareHunterTeam

These two tools combined can do network recon, remote command execution and file operations. Their individual capabilities are as follows.

GraphSteel

  • Collect hostname, username, IP address.
  • Execute commands.
  • Steal account credentials. 
  • Use WebSocket and GraphQL to communicate with the command and control center with AES and base64 encryption. 

GrimPlant, on the other hand, can do the following.

  • Collect IP address, hostname, OS, username and home directory.
  • Execute remote commands and report results back to the attacker.
  • Uses gRPC for command and control communication. 

There’s not a lot known about these payloads. There’s also a possibility that these might just be known payloads rebranded under a different name. 

CERT has attributed the attacks to UAC-0056 with medium confidence. Also known as ‘Lorec53’, this is a Russian threat actor that uses phishing emails and custom backdoors to collect information from Ukrainian organisations. The group had become more active in its phishing distribution and network attacks since December 2021, along with Russia’s increased aggression. 

In the News: Facebook has a paedophile problem

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>