Threat actors are sending targeted phishing emails to users in Ukraine to attempt to trick them into installing malware, including Cobalt Strike beacons, on their systems. These phishing emails impersonate Ukrainian government agencies and advise recipients to download critical security updates for an antivirus product.
When a user visits the website listed in the phishing email, they are offered download buttons for the alleged AV software updates. When executed, the malware downloads and installs a Cobalt Strike beacon being hosted on the Discord CDN. The malware also downloads a secondary executable in the form of a Go dropper. This Go dropper then decodes and executes a secondary file, which modifies the Registry of the infected system to establish persistence and downloads two additional payloads, the GraphSteel and GrimPlant backdoors. Both backdoors have similar functionality, so it is likely they are both deployed for redundancy purposes, along with the Cobalt Strike beacon. All executables used in this campaign are packed with the Themida tool to try to prevent them from being reversed engineered.
The threat actor behind this campaign is believed to be Lorec53, a sophisticated Russian-speaking APT that has been seen to have a high level of coordination and alignment with the interests of the Russian state. Lorec53 has also been seen specifically targeting Ukrainian government agencies with phishing attacks and network compromises since December of 2021.
It is highly recommended to use and maintain proper email security controls as well as provide user training on how to spot phishing emails. Due to the invasion of Ukraine, Russian-backed threat actors and groups will be highly targeting Ukrainian government agencies and organizations to try to destabilize the country digitally. This will most assuredly involve a noticeable increase in phishing emails being sent to these organizations. Maintaining a high level of security and scrutiny around incoming emails will be essential to help prevent these actors from obtaining an initial foothold into a network. If the payload of a phishing email is launched, having appropriate endpoint controls, such as an EDR, can help prevent the malware from properly executing. Even if the malware is not prevented, an EDR or other logging solution can help detect an infection’s behavior. Behavior like files executing from the root of the ProgramData folder, abnormal processes making connections to Discord’s CDN, and regular beaconing patterns can all be detected and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset in these types of detection needs.