FortiGuard Labs details a Ukrainian-military-themed Excel XLSM document that hides a multi-stage loader which ends with Cobalt Strike Beacon on the victim’s machine. The campaign uses macro-based delivery, obfuscation, shortcut-based execution, and scheduled-task persistence to evade detection. #CobaltStrike #ExcelMacro
Keypoints
- The attackers use a malicious Excel file with macros (XLSM) masquerading as a salary tool for Ukrainian military personnel to lure the user into enabling macros.
- The VBA code is heavily obfuscated and hex-encoded, with the main function OpenModule decoding and loading the payload.
- A Windows shortcut (.LNK) is created to trigger the first-stage loader, which is executed via RunDLL32 and uses DllUnregisterServer.
- The first-stage downloader retrieves a JPEG image with an encrypted/embedded second-stage loader, which is decrypted and decompressed in memory.
- A second-stage loader sets up a scheduled task to launch a third-stage loader, using Task Scheduler to evade some detections and maintain persistence.
- The final stage is a Cobalt Strike beacon loader that injects into a legitimate process (SearchIndexer.exe) and operates in memory to reach the C2 servers.
- Fortinet protections and IOCs (file hashes, filenames, and network indicators) are provided to detect and block this campaign.
MITRE Techniques
- [T1204.002] User Execution – Malicious Excel macro prompts the user to enable macros and auto-populates content. ‘The attack starts with an Excel file loaded with malicious macro code (XLSM). The file masquerades as a spreadsheet tool for generating salaries for Ukrainian military personnel.’
- [T1027] Obfuscated/Compressed Files and Information – The VBA code employs obfuscation and hex-encoded data to hinder analysis. ‘The VBA code employs simple obfuscation techniques, including unreadable functions and variable names to slow down static analysis. In addition, important data is encoded as hex strings, including the embedded malicious binary.’
- [T1053.005] Scheduled Task – Creation of a hidden, persistent task to run stages. ‘It then creates a scheduled task with the name “Scheduled” … to masquerade as a legitimate task.’
- [T1023] Shortcut Modification – Use of a Windows shortcut to trigger payload execution. ‘The objective of the .LNK file is to execute the exported function … However, this case leads to executing of the DLL’s malicious functions.’
- [T1055] Process Injection – Final stage loader injects into a running process. ‘process injector and Cobalt Strike loader … injects and executes the loader via remote thread injection.’
- [T1105] Ingress Tool Transfer – The second-stage loader downloads and decrypts payloads from the network. ‘downloads a seemingly harmless JPEG image file … using a specific set of HTTP headers.’
- [T1140] Deobfuscate/Decode Files or Information – Payload is decrypted from an overlay and decompressed to reveal a .NET binary. ‘The overlay contains the encrypted and compressed second-stage loader … decrypted using AES … decompressed … to yield a .NET binary.’
- [T1071.001] Web Protocols – C2 communication with Beacon URLs. ‘the Beacon’s Cobalt Strike Team Server’s (C2) URLs: hxxps://pedaily[.]link/daashbooard/…’
Indicators of Compromise
- [File Hash] context – 4cedec3e1a2f72a917ad9a59ebe116ed50c3268567946d1e493c8163486b888b, c0c455cd3e18be14d2e34cf4e3fb98e7ab0a75ef04b6049ff9f7b306d62704b8, and 3 more hashes
- [File Hash] context – 2927794d7c550c07303199752b8226f197d7ef497d04cf038859f95b60edc9ce, de8c789ef2e1da81182a7529e7b42adf2984cd6e70b02e60fd770ebe658086ae, and 3 more hashes
- [Filename] context – %Temp%jdbsabdqbsmnqwdssad.lnk, %AppData%Microsoftfhasbqwn.dll, %Temp%kbdlisus.dll
- [Network] context – hxxps://ellechina[.]online/01_logo_HLW-300×168[.]jpg, hxxps://pedaily[.]link/daashbooard/managgemment/GCLwJmax/KFKcpjlf, hxxps://pedaily[.]link/daashbooard/managgemment/oknz05PqOlqLtMGB/tzJGhpVp