The notorious Cobalt Strike Beacon malware has been actively distributed by multiple hacking collectives in spring 2022 as part of the ongoing cyber war against Ukraine, mainly leveraged in targeted phishing attacks on Ukrainian state bodies. On July 6, 2022, CERT-UA released an alert warning of a new malicious email campaign targeting Ukrainian government entities. The ongoing cyber-attack involves the mass distribution of emails with a lure subject and an XLS file attachment containing a malicious macro that leads to spreading Cobalt Strike Beacon malware infection on a compromised system.
Earlier, in March 2022, CERT-UA researchers observed the activity of the UAC-0056 hacking group spreading Cobalt Strike Beacon along with other malware strains in a phishing campaign against Ukrainian government entities. The latest cyber-attack reported by CERT-UA shares similarities with the previous incident leveraging the same attack vector and applying the identical behavior patterns that can be attributed to the activity of the UAC-0056 group.
The attack kill chain starts with a phishing email containing military-related lures and having a malicious XLS document attached. In case the user is tricked to open the document and enable an embedded macro, a malicious “write.exe” file is executed on the infected instance. CERT-UA analysis shows that this file acts as a dropper to trigger a PowerShell script. Additionally, “write.exe” ensures persistence by creating a “Check License” key in the Windows registry.
During the next stage of the attack, the PowerShell script circumvents AMSI, disables event logging for PowerShell, and ensures decoding and extraction of the second-stage PowerShell script aimed at Cobalt Strike Beacon infection.
To assist cyber defenders in proactive detection and mitigation of the malicious activity associated with the latest attack against Ukrainian government entities, SOC Prime’s Detection as Code platform offers a batch of curated Sigma rules. For a streamlined search for relevant detection content, all Sigma rules are tagged as #UAC-0056 based on the adversary activity attributed to this most recent cyber-attack covered in the CERT-UA#4914 alert. To instantly access the detection algorithms, follow the link below after signing up or logging into SOC Prime’s platform:
To obtain the entire list of detection rules and hunting queries enabling cybersecurity experts to timely identify the malicious Cobalt Strike Beacon presence in their environment, click the Detect & Hunt button below. Browse SOC Prime’s cyber threats search engine to instantly drill down to the list of Sigma rules to detect the malicious activity of UAC-0056 threat actors along with in-depth contextual metadata, like MITRE ATT&CK® and CTI references, CVE descriptions, and more relevant threat context.
To gain insights into the context of the cyber-attacks attributed to the activity of the UAC-0056 group targeting Ukrainian government officials, all above-referenced Sigma rules are aligned with the MITRE ATT&CK® framework addressing the corresponding tactics and techniques:
Credentials from Password Stores (T1555)
Query Registry (T1012)
Command and Scripting Interpreter (T1059)