• Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.
  • The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government.
  • The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.
  • The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

Ukrainian and Polish government and military organizations among those targeted

Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine, based on the content of the lure displayed when the target opens a malicious Microsoft Excel file. Talos eventually uncovered additional campaigns, including the two previously mentioned by Ukraine’s Computer Emergency Response Team (CERT-UA) and FortiGuard Labs researchers. The campaigns we discovered also involve malicious files intended for users in Poland.

The actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and PowerPoint lures that include official-looking images and text. The purpose of these socially engineered lures is to convince the targeted users to enable macros, thereby allowing the execution chain to commence. This is the first stage of the attack, as demonstrated in the timeline below.

Timeline of the various attacks.
Stages of the attack: The lure entices the user to enable macros that infect the system

Of the two file types, the PowerPoint files are more unusual in that they would not show any actual slides when opened, but would still execute the malicious VBA code, a finding consistent with CERT-UA’s analysis. Talos is currently researching whether the file’s failure to open is because they are intentionally corrupted. In any case, the VBA code still runs whenever the files are executed. Based on the files’ thumbnail images – the only content visible in the Windows Explorer window – the PowerPoint files imitate Ukraine’s Ministry of Defence and Poland’s Ministry of National Defence. The image below shows the thumbnail images indicating the campaign’s victims.

Thumbnail images show themes used by PowerPoint lures in these campaigns by the actor.

As opposed to the PowerPoint documents that did not display any slides in our testing environments, all Excel documents display legitimate-looking documents related to the targeted military organizations, or generic descriptions on how to enable VBA macro functionality in Excel. The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity. The content of one of the Excel lures is shown below and contains the form for calculating salary payments (cash certificates) for soldiers of a specific military unit.

September 2022 campaign uses a lure that purports to be an official document from the Ukrainian Ministry of Defence.

The actor returned with a new campaign on July 4, 2023. The lure contains a payment instruction form containing VBA code, which appears to have been sent from the State Treasury Service of Ukraine. The content of the form is legitimate and targets Ukrainian government organizations, as seen in the image below. The form also contains legitimate macro code modified by the attacker to call malicious subroutines. It seems that the legitimate macro code is used to calculate some values in the spreadsheets, but the legitimate functions are changed to call the function that starts the infection process.

Ukrainian and Polish businesses, general users also targeted

The generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet lures masquerading as value-added tax (VAT) return forms. Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed. These two lures are shown below, respectively.

April 2023 campaign targeting business users in Poland with a fake VAT return form.

The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language.

Attacks start with VBA code to decode the next malware stage

All campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments. In most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a malicious PowerPoint OLE2 (PPT) file was used, possibly indicating the actor's readiness to use file formats less commonly used in attacks.

VBA code is responsible for dropping the downloader executable or DLL.

The VBA code in all files is similar, with minor variations, where some functions serve a legitimate purpose (e.g., some functions for conversion of strings into numbers in Excel). The code is obfuscated, using an obfuscator script, based on the fact that some comments the actor didn’t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax.

As seen below in the image, the obfuscator randomizes function and variable names but makes the mistake of not recognizing the comments (in green).

Randomized code comments show the code was likely obfuscated by an automated tool.

The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious. There are three main subroutines: the first is launched when the document is opened (e.g., Auto_Open, Workbook_Open), the second creates a randomly named dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly named shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.

The name of the shortcut file, depending on the campaign, is either randomly generated by a random string generator function or hardcoded in the macro code. In some campaigns, the random names are generated by a specific function in the VBA code. The screenshot above shows the function that generates a random string of variable length, specified in the function argument.

One subroutine calls the DLL dropper, LNK creation and launch routine.

Earlier campaigns used an executable downloader, while the later ones used DLLs for the next stage.

In some instances, two randomly generated bytes are added to the end of the file, which invalidates the detection of the dropped files using simple checksum-based techniques.

In some cases randomly generated bytes are added to the end of the dropped file.

The July 2023 campaign has a slightly modified infection chain. The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe. Once the initial export is called (in this case, the legitimately named function IETrackingProtectionEnabled), the downloader will copy itself and call regsvr32.exe with parameters “/u /s” to automatically call the function for unregistering COM servers DllUnregisterServer.

Eventually, when the DLL is copied into its final path, rundll32.exe is used to call the exported function SetQueryNetSessionCount, which downloads the next stage. The final payload of the July 2023 campaign is njRAT, which increases our confidence that the threat actor's goals are information stealing and remote control of the targeted systems. NjRAT is an open-source remote access trojan (RAT) whose source code is freely available and is used by commodity actors and APTs, making the process of attribution more difficult.

July 2023 campaign's main malicious VBA function is Data_Open.

Obfuscated downloader retrieves an image containing the payload

The next stage is a Portable Executable (PE) file, an executable or a DLL file. ConfuserEx obfuscator, an obfuscator that is very commonly used by malicious actors to obfuscate .NET code, is used with various levels of obfuscation, anti-tampering and anti-debugging, which makes the unpacking more difficult for malware researchers. CERT-UA named the downloader PicassoLoader.

All downloaders attempt to download an image file from a URL. Depending on the campaign, the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image. The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm.

The encrypted next-stage blob is appended to the end of a JPEG image.

The downloader uses managed AES (Rijndael algorithm) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly.Load function as seen below. The decryption key and the initialization vector are either stored as obfuscated strings in the body of the downloader or calculated as an MD5 checksum of the downloaded image file.

The downloader first decrypts the third stage and then loads it using the Assembly.Load function.

The code to download the next stage is in constant development. In earlier versions, the call to the Assembly.Load function is fairly easy to spot. In the later campaigns, the actor has chosen to add a layer of obfuscation and use the RuntimeBinder.Binder functionality to find and invoke functions for downloading, decryption and loading.

Later variants of the downloader use Binder to invoke functions.

Earlier variants use RijndaelManaged implementation of AES decryption routine to decrypt the next stage, while the variant from April 2023 uses a simplified variant of RC4 to decrypt the payload appended to an image file. The variant from July 2023 returns to RijndaelManaged.

Managed Rijndael is used to decrypt the third stage.
Simplified RC4 is used to decrypt the third stage in April 2023.

Most of the URLs and the infrastructure were not accessible at the time of analysis, although we managed to obtain images from three campaigns to recreate the infection chain. Our analysis triggered exceptions in the decryption process, so it is possible that the image files we obtained were corrupted or that the implementation of decryption in some of the downloaders was incorrect.

Nevertheless, previous analyses by CERT-UA and FortiGuard Labs indicate that final payloads, which included AgentTesla and Cobalt Strike, were used for information theft and remote access to infected systems.

July 2022 image with the next-stage campaign targeting Ukrainian government organizations.
Payload-carrying image used in September 2022 campaign.
Payload-carrying image used in April 2023 campaign.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following ClamAV signatures are applicable to this threat:

  • Doc.Malware.Corona-10003975-0
  • Win.Downloader.DotNETEncryptedJPEG-10006210-0
  • Win.Downloader.DotNETEncryptedJPEG-10006211-0
  • Win.Downloader.DotNETEncryptedJPEG-10006212-0
  • Win.Downloader.DotNETEncryptedJPEG-10006213-0
  • Win.Downloader.DotNETEncryptedJPEG-10006214-0
  • Win.Downloader.DotNETEncryptedJPEG-10006215-0
  • Win.Downloader.DotNETEncryptedJPEG-10006216-0
  • Win.Downloader.DotNETEncryptedJPEG-10006217-0
  • Win.Downloader.DotNETEncryptedJPEG-10006218-0
  • Win.Downloader.DotNETEncryptedJPEG-10006219-0
  • Win.Downloader.DotNETEncryptedJPEG-10006220-0
  • Win.Downloader.DotNETEncryptedJPEG-10006221-0
  • Win.Downloader.DotNETEncryptedJPEG-10006222-0
  • Img.Dropper.Agent-10006223-0
  • Img.Dropper.Agent-10006224-0
  • Xls.Dropper.Corona-10006204-0
  • Xls.Dropper.Corona-10006205-1
  • Xls.Dropper.Corona-10006207-0
  • Xls.Dropper.Corona-10006205-1
  • Ole2.Dropper.Corona-10006206-1
  • Xls.Dropper.Corona-10006207-1
  • Ole2.Dropper.Corona-10006209-0
  • Win.Trojan.Generic-6417450-0

Indicators of Compromise (IOC)

Indicators of Compromise associated with these threats can be found here.