TLDR:
- An unknown threat actor targeted government entities in Ukraine using an old Microsoft Office exploit as the initial vector and military vehicles as a lure.
- The attack utilized a custom loader for Cobalt Strike and included sophisticated evasion techniques to steal information.
An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure. The attack was initiated through a malicious PowerPoint file sent as an attachment via the Signal app. The file contained a script that executed the exploit to achieve RCE and steal information. The campaign used a custom loader for Cobalt Strike with various evasion techniques to avoid detection.
The technical details of the attack included obfuscated scripts masquerading as legitimate configurations and setting up persistency, decoding, and saving payloads in multiple stages. The attack also utilized geographical diversions to make attribution challenging. The campaign, although not linked to a known threat group, showcased advanced evasion techniques and a persistent strategy to control infected machines.
Defense recommendations from experts include enhancing employee cybersecurity awareness, patching systems to the latest versions, scanning networks for IoCs, and implementing advanced detection mechanisms beyond signature-based approaches. The attack underscores the importance of robust patch management systems and the need for advanced detection mechanisms to combat evolving threats.