Weaponized Excel Files Target Ukrainian Military

Category: Malware Campaigns | Industry: Military | Level: Tactical | Source: Fortinet

FortiGuard Labs researchers discovered a campaign targeting Ukraine's military staff delivering Cobalt Strike. The infection chain starts with a weaponized Excel file disguising itself "as a spreadsheet tool for generating salaries for Ukrainian military personnel" using a macro to save a DLL file to disk and create an LNK file to execute the DLL file using regsvr32. The DLL file executes from the TEMP folder to download a JPEG file with a second-stage loader downloading a malicious executable file. A check of the running system processes is conducted for security solutions and malware analysis tools. If security tools aren't present, the malware will proceed to create persistence with a scheduled task. “Instead of the typical usage of schtasks.exe to create this scheduled task, the malware uses Task Scheduler’s ITaskFolder::RegisterTaskDefinition COM function. This might be a way to hide the task creation from security products such as EDRs, which can detect suspicious usage of schtasks.exe based on the command line arguments.” During the user’s next logon, the scheduled task will inject the Cobalt Strike DLL into a Windows Search executable named, SearchIndexer.exe, completing the infecting chain.

Anvilogic Scenario:

• Malicious Document Delivering Malware

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Network Connection with Suspicious Folder
• regsvr32 Execution

‍