A fake salary-calculating excel file that launched cobalt strike beacon malware on the receiver’s device was discovered by researchers at threat intelligence and research organization Fortiguard. The researchers observed that in the attack, which may be directed either at Ukraine or Russia, the hackers used a military-themed excel file for calculating military personnel’s salaries. It was speculated that this may be a ploy to divert attention, take undue advantage of the conflict or increase tension between the two nations.
The malicious Excel file
The fake and malicious file found by the researchers looked like a salary-calculating excel file for the military personnel of Ukraine. When the malware was triggered, it executed multistage loaders that could launch the malicious cobalt strike beacon malware.
Cobalt strike
The supposedly well-written and customizable cobalt strike beacon could load itself into the memory without impacting the disk, exfiltrate files from the victim’s device, deploy advanced persistent threat attacks, take screenshots, execute other payloads and even overpass the two-factor authentication using its browser pivoting ability. It could also enable a group to have remote access to the compromised device.
The infection
The malware attack via the fake salary-calculating excel file began by showing an excel file loaded with malicious macro code XLSM. The macro in the file called ‘sumpropua’, which is an abbreviation of Suma Propisom UA that is a common term used in such documents to denote those alphabetical values entered for figures (salaries), would be converted to their numerical value. Moreover, upon opening the VBA code, it showed a rather large white space area which, when scrolled through, showed the malicious function SUMMPROPIS2. This function would self-execute upon opening the file using the Workbook_Open() function.
Obfuscation techniques used
The VBA code was enabled using obfuscation techniques that also rendered them as unreadable functions. The main malicious function OpenModule decoded the malicious binary, saved it, and created a Windows shortcut .LNK file. Additionally, malicious DLL functions would also execute thereafter. DLL could inject harmful codes into applications by exploiting certain Windows applications. Such attacks can alter system applications and offer remote access to cyber criminals.
In the wake of the Russo-Ukrainian war, such cyber-attacks can cause damage to systems on which several services depend. It can lower security settings on the device, corrupt systems, and execute other malware attacks causing disruption to regular processes.