By Cara Lin | June 03, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Compromised machines are under the control of the threat actor
Severity Level: High
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Over the past few years, Ukraine has been a significant target due to its geopolitical situation. The history of these attacks reveals a pattern of increasing complexity and frequency, particularly during periods of geopolitical tension. For instance, in 2022, FortiGuard Labs reported a campaign using a malicious Excel document themed around the Ukrainian military to deliver a multi-stage Cobalt Strike loader. In 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed that UAC-0057 was involved in an attack using a malicious XLS file containing a macro and a lure image to deploy PicassoLoader and Cobalt Strike Beacon on compromised systems.
In this article, we will explore the technical details of this latest multi-stage attack.
