Keypoints
- The attacker sent “Suprovid.rar” via Signal, posing as recruitment documentation to target a Defense Forces representative.
- The RAR archive contained an exploit for WinRAR CVE-2023-38831, enabling remote code execution when the archive was opened.
- Successful exploitation executed “support.pdf .cmd”, which opened a decoy PDF and launched PowerShell scripts belonging to COOKBOX.
- COOKBOX’s command-and-control used NoIP dynamic DNS; CERT-UA blocked the associated domain name.
- IOCs include multiple file hashes, malicious filenames, dynamic DNS domains, and registry Run keys using XBox* environment variables.
- Mitigations recommended: prevent user execution of scripting utilities (powershell.exe, wscript.exe, cscript.exe, mshta.exe) via SRP/AppLocker or registry restrictions and submit suspicious files to CERT-UA.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The attacker delivered a malicious archive via Signal to a specific target (‘Suprovid.rar was sent by an unidentified person using the Signal messenger’).
- [T1203] Exploitation for Client Execution – The archive contained an exploit for WinRAR (CVE-2023-38831) to run code on the victim machine (‘the archive contains an exploit for a vulnerability in the WinRAR software (CVE-2023-38831)’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – After exploitation, a CMD executed PowerShell scripts to perform payload actions (‘launch PowerShell scripts that classified as COOKBOX malicious program’).
- [T1036] Masquerading – The attacker disguised an executable script as a PDF to trick the user (‘CMD file “support.pdf .cmd” will be executed’ and decoy document ‘DPO_SEC23-1_OMA_P-3_16-ENG.pdf’).
- [T1140] Deobfuscate/Decode Files or Information – Payload components include decoded/assembled environment variable fragments used at runtime (‘$env:XBoxD1+$env:XBoxD2+…+$env:XBoxD12’).
- [T1105] Ingress Tool Transfer – The malicious archive and subsequent payloads were delivered into the environment via messaging and remote hosting (‘Suprovid.rar’ and hosted artifacts on worker-misty-mouse…workers[.]dev).
- [T1568.002] Dynamic Resolution – C2 infrastructure used dynamic DNS services to maintain reachability (‘dynamic DNS NoIP service is used to ensure the functioning of the COOKBOX management server’).
- [T1562] Impair Defenses: Disable or Modify Tools – The report highlights blocking scripting utilities to prevent attacker use of those tools (‘prohibit users from running utilities such as powershell.exe, wscript.exe, csript.exe, mshta.exe’).
- [T1486] Data Encrypted for Impact / Execution Prevention (defensive) – Defensive recommendation to use SRP/AppLocker or registry settings to block execution serves to prevent payload execution (‘use standard mechanisms of the operating system (SRP, AppLocker, registry settings)’).
Indicators of Compromise
- [File hash / archive] Malicious RAR archive – 2fec3ab587e6b5533b4c6b3c11dd357ad8ccaef116cada9c558f9e912d5cf7ef2978082611e677f6f55ca233f47a2f68 (Support.rar)
- [File hash / payload] Decoy PDF and CMD – cc1732ce2d2cd79dc85893fdc3b7d1436652b46987350e831678d7a33a70bce9 (DPO_SEC23-1_OMA_P-3_16-ENG.pdf), ba1859659089253621e5a65181ea94cd8f8abfa6717ad2043a295d16b5aeeac3 (DPO_SEC23-1_OMA_P-3_18-ENG.pdf.cmd), and 1 more hash.
- [Filename] Executable script disguised as document – support.pdf .cmd and support.pdf (decoy document)
- [Network domain] C2 / hosting domains – netman.servehttp[.]com, worker-misty-mouse-6ac7.aky15825.workers[.]dev (NoIP dynamic DNS used for COOKBOX C2).
- [Registry / persistence] Environment and Run keys used to assemble/launch payload – HKCU:EnvironmentXBoxD1, HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRunXBoxCache (plus multiple XBoxD2..XBoxD12 entries).
- [User agent] Observed client signature – Mozilla/5.0(Windows NT 10.0;Win64;x64;rv:109.0)Gecko/20100101 Firefox/116.0
The intrusion chain begins with a targeted message on Signal containing “Suprovid.rar” that exploits WinRAR CVE-2023-38831. Opening the archive triggers execution of a CMD file named to resemble a PDF (“support.pdf .cmd”), which simultaneously displays a decoy document and invokes PowerShell to reconstruct and execute payload fragments stored in HKCU environment variables (XBoxD1…XBoxD12).
PowerShell scripts executed by the CMD implement the COOKBOX payload, which reaches out to C2 infrastructure using dynamic DNS (NoIP) and hosted URLs (for example, netman.servehttp[.]com and worker-misty-mouse-6ac7.aky15825.workers[.]dev). Artifacts observed include multiple file hashes for the RAR, decoy PDF, and CMD payloads, registry Run entries (XBoxCache), and a browser-like user-agent string used in network communications.
Mitigation steps: block or restrict execution of scripting hosts (powershell.exe, wscript.exe, cscript.exe, mshta.exe) through SRP/AppLocker or registry policies, treat unsolicited attachments—even from messengers—as untrusted, and submit suspected files to CERT-UA for analysis. Monitor for the listed hashes, domains, and the XBox* registry keys for signs of compromise.
Read more: https://cert.gov.ua/article/6278620