The attack, which has not yet been claimed, used an old Microsoft Office zero-day flaw, detected in 2017, to introduce Cobalt Strike malware into a fake US military manual.
Clearly, we cannot say that hackers are not sensitive to waste. After the Lazarus group which dusted off its old KaolinRAT malware to make it more powerful, it is the turn of an old Microsoft Office zero day flaw to be exploited by a group currently still unknown to the authorities and researchers. cybersecurity.
And not content with making something new out of something old, hackers use Cobalt Strike, a tool developed to test the vulnerabilities of a system and from which part of the code has been copied. This diversion has already been carried out in a banking malware campaign, which also exploited an old Office vulnerability. Is this new fashion about to become a norm in cybercrime?
Cobalt Strike, hackers’ favorite
We know that diversion is the basis of many cyberhacking campaigns. But that of Cobalt Strike is rather original. The latter was created in 2012 to improve the capabilities of the Metasploit Framework attack simulation tool. In 2015, Cobalt Strike 3.0 was launched as a standalone threat emulation platform. But in 2016, cybersecurity researchers at Proofpoint discovered that it was used by hackers, and not small clients, but rather bigwigs such as APT. The democratization of Cobalt Strike is announced, with an increase in its diversion for malicious purposes of 161% between 2019 and 2021.
It has become a tool of choice for cybercriminals due to its versatility, ease of use and ability to be customized for specific campaigns, such as that of the “Lockean” malware, which targeted France in 2021.
Cobalt Strike is versatile, it allows you to install viruses and steal information while going under the radar of the machines it infects. He loves to exploit zero day vulnerabilities to be directly operational. It was notably used by a gang of Ukrainian hackers, now behind bars, during ransomware attacks in 71 countries.
A deployment method that sows doubt about the identity of the hackers and their target
An equation with two unknowns, however, stumps researchers. Who are the hackers, and who are they targeting? If we look at the method, we can conclude that the target would be Ukraine. Indeed, the exploitation of zero day vulnerabilities is the most violent and direct method to reach a target. Hackers used the CVE-2017-8570 flaw to launch Cobalt Strike, already deployed to target Ukraine in 2022. It was hidden in a fake Excel file of Ukrainian military salaries. In this case, it is a PowerPoint SlideShow presenting a manual of American military equipment. First similarity.
Then, Deep Instinct researchers were able to identify that the sample had been uploaded from Ukraine, which could suggest an exercise in “Red Teaming”, a technique used in cybersecurity to test for cyber threats. A second phase of deployment was carried out with a VPN in Russia, and finally, the final Beacon of Cobalt Strike (Beacon is the Command & Control part of Colbalt Strike, the most virulent) was recorded in Warsaw, Poland.
Are the hackers Russian or allies of Ukraine? Nothing has been established, at least on the part of the researchers, who however rule out Russia as the origin of the attack. This new campaign shows the vulnerability of countries to ever more ingenious hackers and should remind us that we must remain vigilant. Malware or ransomware attacks do not only come from famous gangs and do not only affect countries.
This is why Clubic has selected tools for you to protect you against this ransomware which can plunder your data as well as your bank account.
Sources: HackRead, Deep Instinct
0