CVE-2021-40444 and CVE-2022-30190 Exploit Detection: Cobalt Strike Beacon Delivered in a Cyber-Attack on Ukrainian State Bodies

Just two days after the nefarious CVE-2022-30190 aka Follina was revealed, security researchers report in-the-wild attacks leveraging the exploits to target state institutions of Ukraine. On June 2, 2022, CERT-UA issued a heads-up warning of an ongoing campaign spreading Cobalt Strike Beacon malware by exploiting Windows CVE-2021-40444 and CVE-2022-30190 zero-day vulnerabilities, which have been recently in the spotlight of the global cybersecurity community.

CVE-2021-40444 and CVE-2022-30190 Exploitation to Deliver Cobalt Strike Beacon: Phishing Attack Analysis

Cobalt Strike Beacon malware resurfaces to target Ukraine once again. This time, the nation-state actors utilize exploits for the novel Follina zero-day (CVE-2022-30190) and the notorious Microsoft MSHTML flaw (CVE-2021-40444) to proceed with attacks against the Ukrainian government and drop Cobalt Stike Beacon loaders to the systems of interest. 

The latest cyber-attack spotted by the Computer Emergency Response Team of Ukraine starts with a phishing email containing a DOCX file attached. The document contains a malicious URL redirecting unsuspecting victims to the HTML file with a JavaScript code embedded. If executed, CVE-2021-40444 and CVE-2022-30190 vulnerabilities are exploited to launch a PowerShell command, download an EXE file, and infect the targeted instance with Cobalt Strike Beacon malware. 

The Cobalt Strike Beacon malware has been frequently used by state-backed actors in campaigns against the Ukrainian government. CERT-UA experts highlighted multiple intrusions delivering this type of malware during March-June 2022. 

Sigma Rules to Detect Cobalt Strike Beacon in the Latest Phishing Campaign

Cyber-attacks leveraging the recently-revealed Follina zero-day tracked as CVE-2022-30190 showcase the accelerating speed the offense part incorporates into novel security gaps expanding the scope of its arsenal. It takes only hours for the new exploit to be included in the kill chain which means security performers should be swift in data exchange and addressing new challenges. 

To proactively withstand the attack exploiting CVE-2021-40444 and CVE-2022-30190 zero-day vulnerabilities, tap into the power of collaborative cyber defense and download a set of dedicated Sigma rules available in the SOC Prime Platform. Detection algorithms for relevant vulnerabilities are tagged as #CVE-2021-40444 and #CVE-2022-30190 respectively. Make sure to log in or sign up for the SOC Prime Platform to access these detection rules:

Sigma Rules to Detect CVE-2022-30190 Expoitation Attempts 

Sigma Rules to Detect CVE-2021-40444 Expoitation Attempts 

Cyber defenders can also obtain a batch of curated threat hunting queries aimed at detecting the malicious activity associated with this latest campaign against the Ukrainian government. Follow the link below to take advantage of the dedicated hunting content filtered by the custom tag, which matches the relevant CERT-UA#4753 alert:

Hunting Content to Search for Threats Targeting Ukraine Covered by the CERT-UA Alert #4753

To boost threat investigation, security practitioners can run instant hunts in their environment using the above-referenced curated queries via SOC Prime’s Quick Hunt module


To gain insights into the context of the most recent phishing cyber-attack on Ukrainian government officials spreading Cobalt Strike Beacon, the above-mentioned Sigma rules are aligned with the ATT&CK framework addressing relevant tactics and techniques:



Sigma Rule

Initial Access

Phishing (T1566)

Defense Evasion

Signed Binary Proxy Execution (T1218)

Hide Artifacts (T1564)

Obfuscated Files or Information (T1027)

Hijack Execution Flow  (T1574)

Template Injection (T1221)

Modify Registry (T1112)

Process Injection (T1055)


Command and Scripting Interpreter (T1059)

User Execution (T1204)

Exploitation for Client Execution (T1203)

Lateral Movement

Exploitation of Remote Services (T1210)

Command and Control

Data Obfuscation (T1001)

Ingress Tool Transfer (T1105)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts