Threat actors are sending targeted phishing emails to users in Ukraine to attempt to trick them into installing malware, including Cobalt Strike beacons, on their systems. These phishing emails impersonate Ukrainian government agencies and advise recipients to download critical security updates for an antivirus product.
When a user visits the website listed in the phishing email, they are offered download buttons for the alleged AV software updates. When executed, the malware downloads and installs a Cobalt Strike beacon being hosted on the Discord CDN. The malware also downloads a secondary executable in the form of a Go dropper. This Go dropper then decodes and executes a secondary file, which modifies the Registry of the infected system to establish persistence and downloads two additional payloads, the GraphSteel and GrimPlant backdoors. Both backdoors have similar functionality, so it is likely they are both deployed for redundancy purposes, along with the Cobalt Strike beacon. All executables used in this campaign are packed with the Themida tool to try to prevent them from being reversed engineered.
The threat actor behind this campaign is believed to be Lorec53, a sophisticated Russian-speaking APT that has been seen to have a high level of coordination and alignment with the interests of the Russian state. Lorec53 has also been seen specifically targeting Ukrainian government agencies with phishing attacks and network compromises since December of 2021.