Ukraine’s Computer Emergency Response Team alerts that Threat actors are sending fraudulent Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails pretend to be from Ukrainian government institutions, advising recipients to download “critical security updates” in the form of a 60 MB file called “BitdefenderWindowsUpdatePackage.exe.”
These emails include a link to a now-defunct French website with download buttons for the supposed antivirus software upgrades. MalwareHunterTeam also determined that another website, nirsoft[.]me, was operating as the campaign’s command and control server. When a victim downloads and runs the fake BitDefender Windows update [VirusTotal], it is requested that the user install a ‘Windows Update Package.’ However, this ‘update’ downloads and installs the one.exe file [VirusTotal]. It is a Cobalt Strike beacon from the Discord CDN.
Cobalt Strike is a commonly misunderstood penetration testing tool that provides offensive security capabilities, allows lateral network mobility, and assures persistence. A Go downloader (dropper.exe) is also downloaded, which decodes and runs a base-64-encoded file (java-sdk.exe). This file creates a new Windows registry key for persistence and downloads two additional payloads: the GraphSteel backdoor (microsoft-cortana.exe) and the GrimPlant backdoor (oracle-java.exe). Themida is used to bundle all of the campaign’s executables, securing them from reverse engineering, detection, and analysis.
GraphSteel and GrimPlant are malware developed in Go, a flexible and cross-platform programming language with a small footprint and poor detection rates by antivirus software. Because the two tools’ capabilities overlap in network reconnaissance, command execution, and file operations, their deployment in the same system is most probable for redundancy.
GraphSteel Features:
- Collect hostname, username, and IP address information
- Run commands
- Steal account credentials
- Use WebSocket and GraphQL to communicate with C2 with the help of AES and base64 encryption
GrimPlant Capabilities:
- Collect IP address, hostname, OS, username, home dir
- Run commands received remotely and return results to C2
- Use gRPC (HTTP/2+SSL) for C2 communication
There aren’t many technical details available on these two payloads. It’s hard to rule out the chance that they’re known backdoors.
Given the present situation in Ukraine, it’s simple to blame any hostile action on Russian and pro-Russian threat actors, and it appears that this is the case here as well. The Ukrainian Computer Emergency Response Team has a medium level of confidence in associating the discovered activity with the UAC-0056 group. UAC-0056, also known as “Lorec53,” is a sophisticated Russian-speaking APT that collects information from Ukrainian enterprises using a combination of phishing emails and proprietary backdoors.
UAC-0056 has been discovered in Ukraine stepping up its phishing distribution and network penetration activities since December 2021. In the recent past, the same attacker targeted Georgian government agencies with phishing lures, indicating a high level of cooperation and alignment with Russian state interests.