Ukraine's Computer Emergency Response Team (CERT-UA) has warned that threat actors are attempting to infect Ukrainian government organizations with Cobalt Strike beacon and other malware through fake antivirus updates.
The observed phishing campaign involves phishing emails ostensibly sent from Ukraine’s government agencies advising to download “critical security updates” to increase cybersecurity. The security updates come in the form of the 60 MB file named “BitdefenderWindowsUpdatePackage.exe,” which, in reality, downloads and executes several files (alt.exe, one.exe, dropper.exe) from the Discord CDN.
Upon execution, one.exe downloads a Cobalt Strike beacon and a file named “wisw.exe.”
Cobalt Strike is a penetration testing suite often misused by cybercriminals that provides offensive security features, allows for lateral network movement, and allows to establish persistence.
The same process downloads a Go-based downloader (dropper.exe), which decodes and runs a base-64-encoded file (java-sdk.exe). The latter creates a new Windows registry key for persistence and downloads two additional payloads, GraphSteel (microsoft-cortana.exe), and GrimPlant (oracle-java.exe).
GraphSteel and GrimPlant are backdoors both written in Go with a variety of capabilities, including the ability to collect system information (hostname, username, IP address), steal account details, carry out commands, and upload files.
The Ukrainian Computer Emergency Response Team has linked this phishing campaign to a Russian-speaking threat actor UAC-0056 (Lorec53) with medium confidence. According to a report from SentinelOne, UAC-0056’s GrimPlant and GraphSteel activity began in early February 2022, while preparation for its use began at least as early as December 2021.
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!