Cobalt Strike Beacon Malware Detection: A New Cyber-Attack on Ukrainian Government Organizations Attributed to the UAC-0056 Group
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
- UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military - 18.04.2024
- CVE-2024-3400 Detection: A Maximum Severity Command Injection PAN-OS Zero-Day Vulnerability in GlobalProtect Software - 17.04.2024
Table of contents:
The notorious Cobalt Strike Beacon malware has been actively distributed by multiple hacking collectives in spring 2022 as part of the ongoing cyber war against Ukraine, mainly leveraged in targeted phishing attacks on Ukrainian state bodies. On July 6, 2022, CERT-UA released an alert warning of a new malicious email campaign targeting Ukrainian government entities. The ongoing cyber-attack involves the mass distribution of emails with a lure subject and an XLS file attachment containing a malicious macro that leads to spreading Cobalt Strike Beacon malware infection on a compromised system.
Cobalt Strike Beacon Distribution: CERT-UA Details the Latest UAC-0056 Attack Against Ukraine
Earlier, in March 2022, CERT-UA researchers observed the activity of the UAC-0056 hacking group spreading Cobalt Strike Beacon along with other malware strains in a phishing campaign against Ukrainian government entities. The latest cyber-attack reported by CERT-UA shares similarities with the previous incident leveraging the same attack vector and applying the identical behavior patterns that can be attributed to the activity of the UAC-0056 group.
The attack kill chain starts with a phishing email containing military-related lures and having a malicious XLS document attached. In case the user is tricked to open the document and enable an embedded macro, a malicious “write.exe” file is executed on the infected instance. CERT-UA analysis shows that this file acts as a dropper to trigger a PowerShell script. Additionally, “write.exe” ensures persistence by creating a “Check License” key in the Windows registry.
During the next stage of the attack, the PowerShell script circumvents AMSI, disables event logging for PowerShell, and ensures decoding and extraction of the second-stage PowerShell script aimed at Cobalt Strike Beacon infection.
Detecting UAC-0056 Activity: Sigma Rules to Spot New Attacks Against Ukrainian Government
To assist cyber defenders in proactive detection and mitigation of the malicious activity associated with the latest attack against Ukrainian government entities, SOC Prime’s Detection as Code platform offers a batch of curated Sigma rules. For a streamlined search for relevant detection content, all Sigma rules are tagged as #UAC-0056 based on the adversary activity attributed to this most recent cyber-attack covered in the CERT-UA#4914 alert. To instantly access the detection algorithms, follow the link below after signing up or logging into SOC Prime’s platform:
Sigma rules to detect the malicious activity of the UAC-0056 group
To obtain the entire list of detection rules and hunting queries enabling cybersecurity experts to timely identify the malicious Cobalt Strike Beacon presence in their environment, click the Detect & Hunt button below. Browse SOC Prime’s cyber threats search engine to instantly drill down to the list of Sigma rules to detect the malicious activity of UAC-0056 threat actors along with in-depth contextual metadata, like MITRE ATT&CK® and CTI references, CVE descriptions, and more relevant threat context.
Detect & Hunt Explore Threat Context
MITRE ATT&CK® Context
To gain insights into the context of the cyber-attacks attributed to the activity of the UAC-0056 group targeting Ukrainian government officials, all above-referenced Sigma rules are aligned with the MITRE ATT&CK® framework addressing the corresponding tactics and techniques:
