Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine | Fortinet Blog

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The malicious Excel document contains elements in Ukrainian designed to lure the user into enabling its macros. ‘The malicious Excel document contains elements in Ukrainian designed to lure the user into enabling its macros.’
• [T1059.005] VB/VBA – The VBA macro deploys a DLL downloader, which is encoded in HEX. ‘The primary function of the VBA macro is to deploy a DLL downloader, which is encoded in HEX.’
• [T1105] Ingress Tool Transfer – The downloader constructs a web request to get the next stage payload from the URL. ‘constructs a web request to get the next stage payload from the URL …’
• [T1218.011] Regsvr32 – The LNK file uses regsvr32 to execute the DLL file. ‘regsvr32 to execute the DLL file.’
• [T1027] Obfuscated/Compressed Files and Information – HEX-encoded strings are used to evade basic string detection. ‘HEX-encoded strings to evade basic string detection mechanisms.’
• [T1070.004] Indicator Removal on Host – The malware features self-deletion to remove traces. ‘self-deletion feature aids evasion tactics.’
• [T1547.001] Registry Run Keys/Startup Folder – Persistence is added via a Run key in the registry. ‘registry value … Run for persistence.’
• [T1055] Process Injection – The final payload is injected into processes to execute Cobalt Strike. ‘injects the decrypted data into itself and employs various APIs … to execute the final Cobalt Strike.’
• [T1071] Web Protocols – The beacon communicates with C2 servers over web protocols. ‘establish communication with a command and control (C2) server.’
• [T1140] Deobfuscate/Decode Files or Information – The loader decrypts data with RC4 and AES to obtain the next-stage payload. ‘decrypt the data using an RC4 algorithm and writes the data to the newly created file’ and ‘decrypts the final payload with an AES algorithm.’