UAC-0056 Threat Actors Deliver Cobalt Strike Beacon Malware in Yet Another Phishing Campaign Against Ukraine

UAC-0056 Threat Actors Deliver Cobalt Strike Beacon

Hot on the heels of the cyber-attack on July 5 targeting Ukrainian state bodies and attributed to the notorious UAC-0056 hacking collective, yet another malicious campaign launched by this group causes a stir in the cyber domain. On July 11, 2022, cybersecurity researchers at CERT-UA warned the global community of an ongoing phishing attack leveraging a lure subject and a malicious attachment related to the topic of war in Ukraine. In the latter cyber-attack, threat actors once again use the phishing email attack vector to distribute Cobalt Strike Beacon malware. This time, malicious emails are spread from the compromised email accounts of the Ukrainian government entities.  

UAC-0056 Group Attack Detection: Sigma Rules to Timely Identify the Malicious Activity

To help cybersecurity professionals timely identify the malicious activity of the UAC-0056 hacking group related to the latest email campaigns targeting Ukraine, SOC Prime’s platform offers a set of curated detection algorithms available via a link below: 

Sigma rules to spot the malicious activity of the UAC-0056 threat actors

Please note that only registered SOC Prime users can gain access to the above-referenced Sigma rules along with their translations to multiple SIEM, EDR, and XDR formats.  

To make it easier and faster to search for the relevant detection content, all Sigma-based rules are tagged accordingly as #UAC-0056 based on the associated adversary activity. Also, the detection content is aligned with the MITRE ATT&CK® framework addressing the corresponding adversary tactics and techniques to ensure comprehensive visibility into the context of related cyber-attacks. Please refer to our previous blog article on the email campaign by UAC-0056 targeting Ukrainian officials to drill down to the threat context based on ATT&CK. 

Cybersecurity practitioners who are registered for SOC Prime’s platform can also explore the comprehensive list of Sigma rules to detect Cobalt Strike Beacon malware by clicking the Detect & Hunt button below. In addition, SOC Prime offers the industry-first search engine tool allowing security teams to browse for a certain CVE, malware, APT, or exploit and instantly get the list of related Sigma rules in conjunction with insightful threat context, like MITRE ATT&CK references, CTI links, Windows executable binaries linked to detections, and more actionable metadata. Click the Explore Threat Context button to find all relevant search results for Cobalt Strike Beacon even without the registration process.

Detect & Hunt Explore Threat Context

Cobalt Strike Beacon Malware Delivery: Overview of Another Attack by UAC-0056 Against Ukrainian Officials

The most recent alert CERT-UA#4941 warns of the mass distribution of malicious emails with a subject related to the humanitarian crisis in Ukraine induced by the full-scale ongoing war that broke out on February 24. The emails in question have an XLS document as an attachment with a similar lure file name tricking the potential victims into opening it. The latter contains a malicious macro, which, if opened, launches an executable file “baseupd.exe”, which in turn, can lead to dropping Cobalt Strike Beacon on the targeted systems. 

Notably, the latest cyber-attack shares a number of similarities with the previous malicious campaign targeting Ukrainian state bodies, including the malware strain chosen for spreading infection and the cyber offenders who are behind this email campaign. Based on the adversary TTPs, the cyber-attack is also attributed to the UAC-0056 hacking group also known as SaintBear.

The malicious activity of the UAC-0056 threat actors targeting Ukraine has a history tracing back to the phishing campaign in March 2022 spreading Cobalt Strike Beacon, GrimPlant, and GraphSteel malware samples. Moreover, these threat actors are also linked to the destructive cyber-attack on Ukraine leveraging WhisperGate data-wiping malware. 

It is strongly recommended to apply multi-factor authentication as an additional layer of email security enabling organizations to ensure better protection against cyber-attacks leveraging the email attack vector.

Sign up for SOC Prime’s Detection as Code platform to find an all-in-one solution to help your team seamlessly address the threat complexity and data quality challenges backed by the power of collaborative cyber defense. Searching for new ways to boost your Threat Hunting and Detection Engineering skills? Join the Threat Bounty Program to turn your skill set into recurring financial benefits with prolific opportunities for recognition among industry peers and self-advancement. Craft Sigma and YARA rules, get them shared with the community and monetize your detection efforts with SOC Prime’s crowdsourced initiative.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts