CredoMap and Cobalt Strike Beacon Detection: APT28 Group and UAC-0098 Threat Actors Once Again Attack Ukrainian Organizations

CredoMap and Cobalt Strike Beacon Malware

On June 20, 2022, CERT-UA issued two separate alerts that warn the global cybersecurity community of a new wave of cyber-attacks on Ukrainian organizations weaponizing the nefarious zero-day vulnerability actively exploited in the wild and tracked as CVE-2022-30190 aka Follina. In the CERT-UA#4842 alert, cybersecurity researchers unveiled the malicious activity by a hacking group identified as UAC-0098 spreading Cobalt Strike Beacon malware. Another alert CERT-UA#4843 highlights the delivery of CredoMap malware attributed to the malicious activity of the notorious Russian nation-backed hacking collective APT28 also known as UAC-0028.Ā 

Detect the APT28 and UAC-0098 Malicious Activity Observed in Cyber-Attacks on Ukraine

To help cybersecurity practitioners proactively defend against the malicious activity covered in the CERT-UA#4842 and CERT-UA#4843 alerts, SOC Primeā€™s Detection as Code platform offers a batch of dedicated Sigma rules. For streamlined content search, all detection algorithms are tagged based on the adversary activity associated with relevant attacks, such as #UAC-0098, or based on the corresponding CERT-UA alert identification, like CERT-UA#4843. SOC Prime users are prompted to log into the platform with their current account or create and activate a new one to access the dedicated rule kits:

Sigma rules to detect the malicious activity of the UAC-0098 group, including the recent attacks covered in the CERT-UA#4842 alert

Sigma rules to detect the malicious activity covered in the CERT-UA#4843 alert

All the above-referenced SOC content items filtered by the corresponding tags are aligned with the MITRE ATT&CKĀ® framework and are compatible with the industry-leading SIEM, EDR, and XDR solutions enabling teams to adapt detection and hunting capabilities to their unique threat profiles and environment needs. 

Also, below you can find an extensive list of Sigma-based rules to detect the malicious activity of the APT28 hacking collective also identified as UAC-0028, which has been spotted in the latest campaign spreading CredoMap malware in addition to a number of earlier phishing attacks on Ukraine:

Sigma Rules to Detect the Malicious Activity of APT28/UAC-0028

To reach the comprehensive list of Sigma rules for the CVE-2022-30190 vulnerability exploit detection, registered SOC Prime users can click the Detect & Hunt button and instantly drill down to the dedicated detection stack. Cybersecurity professionals can also browse SOC Prime even without registration to immediately explore the latest trends in the cyber threat arena, access the newly released Sigma rules, and gain insights into relevant contextual information.

Detect & Hunt Explore Threat Context

CredoMap and Cobalt Strike Beacon Malware Distribution: Overview of the Latest Attacks on Ukraine

In June 2022, cybersecurity researchers have observed ongoing in-the-wild attacks targeting Ukrainian government entities exploiting the Windows CVE-2022-30190 zero-day vulnerability and spreading Cobalt Strike Beacon malware. In the latest malicious campaigns targeting Ukrainian organizations, APT28 and UAC-0098 threat actors continue to leverage the CVE-2022-30190 exploit attempting to deliver Cobalt Strike Beacon and CredoMap malware samples applying a similar attack vector with the use of a lure attachment. 

Both malware strains used in the latest attacks covered by the above-mentioned CERT-UA alerts have already been in the spotlight of the cybersecurity researchers during the ongoing global cyber war representing the phishing attack vector. Earlier this year, in April 2022, the UAC-0098 hacking collective also known as TrickBot was found spreading Cobalt Strike Beacon in a phishing campaign targeting Ukrainian officials and leveraging emails related to Azovstal. As for the previous phishing campaigns by the Russia-linked APT-28 group aka UAC-0028, in March 2022, it was spotted behind a cyber-attack against Ukrainian state bodies also leveraging the updated version of the CredoMap malware dubbed CredoMap_v2

In the latest campaigns highlighted by the CERT-UA#4842 and CERT-UA#4843 alerts, adversaries have leveraged a lure document that triggers an infection chain and leads to an HTML file download, followed by executing malicious JavaScript code, which further spreads malware on the compromised systems. In the cyber-attack attributed to the UAC-0098 group, the lure DOCX file was delivered by means of email spoofing disguising a fake email sender as the State Tax Service of Ukraine. 

With a growing number of attack volumes shaping the modern cyber threat landscape, cybersecurity professionals are constantly in search of enhanced cyber defense capabilities and new ways for streamlined threat investigation. SOC Primeā€™s Detection as Code platform harnesses the power of collaborative cyber defense to enable global organizations to boost threat detection and accelerate threat hunting velocity more efficiently than ever before. Moreover, individual cybersecurity professionals who are keen on crafting their own detection rules have a brilliant opportunity to join Threat Bounty Program and see in action how their content contribution helps build a safer future.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts