06-06-2024, 10:36 PM
I find this a chilling thing.
I can only surmise that this malware is part of a wartime activity, since it specifically turns itself off if the location data tells it that it is not in Ukraine. And it means that the creators did not care to target anything other than Ukrainian machines... or it's a setup (c'mon, this is a conspiracy site.)
From HITBSecNews: Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
The security vendor described the threat actor as using a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as an initial lure. If an unwary user enables the macro, it deploys a dynamic link library (DLL) downloader — obfuscated via the ConfuserEX open source tool — on the victim system.
One of the first things the DLL downloader does is look for the presence of antivirus and other malware detection tools on the compromised system. If the downloader detects the presence of one, it immediately terminates further activity. Otherwise, it uses a Web request to pull the next stage payload from a remote location. The DLL downloader is designed so it can only download the second stage payload on devices located specifically in Ukraine. From there, the downloader then executes a series of steps that results in Cobalt Strike getting deployed on the victim device.
"War" is an ugly thing to begin with, but this is an example of warfare extended to the digital world. It has happened before, I know, and it will happen again, no doubt... but country-specific... that's new to me.
I can only surmise that this malware is part of a wartime activity, since it specifically turns itself off if the location data tells it that it is not in Ukraine. And it means that the creators did not care to target anything other than Ukrainian machines... or it's a setup (c'mon, this is a conspiracy site.)
From HITBSecNews: Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
The security vendor described the threat actor as using a Ukrainian-themed Excel file with an embedded Visual Basic application (VBA) macro as an initial lure. If an unwary user enables the macro, it deploys a dynamic link library (DLL) downloader — obfuscated via the ConfuserEX open source tool — on the victim system.
One of the first things the DLL downloader does is look for the presence of antivirus and other malware detection tools on the compromised system. If the downloader detects the presence of one, it immediately terminates further activity. Otherwise, it uses a Web request to pull the next stage payload from a remote location. The DLL downloader is designed so it can only download the second stage payload on devices located specifically in Ukraine. From there, the downloader then executes a series of steps that results in Cobalt Strike getting deployed on the victim device.
"War" is an ugly thing to begin with, but this is an example of warfare extended to the digital world. It has happened before, I know, and it will happen again, no doubt... but country-specific... that's new to me.
