Threat Research

Another Cyber Attack UAC-0149 using Signal, vulnerability CVE-2023-38831 and COOKBOX program (CERT-UA#9522)

admin

General Information

The Government Computer Emergency Response Team of Ukraine CERT-UA received information about an attempt to attack a computer of a representative of the Defense Forces of Ukraine with malicious software.

It was found that the file “Suprovid.rar” was sent by an unidentified person using the Signal messenger under the guise of the need to provide documents for filling a position in the Department of UN Peace Support Operations. The said archive contains an exploit for a vulnerability in the WinRAR software (CVE-2023-38831). 

If the archive is opened and the vulnerability is successfully exploited, the CMD file “support.pdf .cmd” will be executed, which will, among other things, open the decoy document “DPO_SEC23-1_OMA_P-3_16-ENG.pdf” and launch PowerShell scripts that classified as COOKBOX malicious program (detailed information in the publication dated 02.24.2024 https://cert.gov.ua/article/6277849 ).

Please note that the dynamic DNS NoIP service is used to ensure the functioning of the COOKBOX management server. With the help of the latter, the corresponding domain name was blocked.

Computer users are asked to be vigilant and critical of any attempts to encourage them to open files or click on links, including those sent via messengers. At the slightest suspicion, such messages, links and files should be submitted for analysis to the relevant units and/or CERT-UA.

System administrators are strongly recommended to prohibit users from running utilities such as powershell.exe, wscript.exe, csript.exe, mshta.exe, and others, for which it is advisable to use standard mechanisms of the operating system (SRP, AppLocker, registry settings).

Indicators of cyber threats

Files:

  • 2fec3ab587e6b5533b4c6b3c11dd357a d8ccaef116cada9c558f9e912d5cf7ef2978082611e677f6f55ca233f47a2f68 Support.rar
  • cc1732ce2d2cd79dc85893fdc3b7d143 6652b46987350e831678d7a33a70bce94c8c9cca137f0bb0efbbd0c07279cbb6 DPO_SEC23-1_OMA_P-3_16-ENG.pdf
  • ba1859659089253621e5a65181ea94cd 8f8abfa6717ad2043a295d16b5aeeac3e7084b7994f6eec8351e18a9a3c59997 DPO_SEC23-1_OMA_P-3_18-ENG.pdf.cmd
  • 1e857958a3c7f909ee1370c66d71adfd 56b569912a6e1c4c08e5612c0ef5ddf9f238b1d708621b89963b47b31e45cde1 support.pdf 

Network:

  • Mozilla/5.0(Windows NT 10.0;Win64;x64;rv:109.0)Gecko/20100101 Firefox/116.0
  • hXXp://netman.servehttp[.]com
  • hXXp://worker-misty-mouse-6ac7.aky15825.workers[.]dev/
  • netman.servehttp[.]com
  • worker-misty-mouse-6ac7.aky15825.workers[.]dev

Hosts:

  • HKCU:\Environment\XBoxD1
  • HKCU:\Environment\XBoxD2
  • HKCU:\Environment\XBoxD3
  • HKCU:\Environment\XBoxD4
  • HKCU:\Environment\XBoxD5
  • HKCU:\Environment\XBoxD6
  • HKCU:\Environment\XBoxD7
  • HKCU:\Environment\XBoxD8
  • HKCU:\Environment\XBoxD9
  • HKCU:\Environment\XBoxD10
  • HKCU:\Environment\XBoxD11
  • HKCU:\Environment\XBoxD12
  • HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XBoxCache
  • cmd /c start /min “” powershell -windowStyle hidden -c(powershell -windowStyle hidden -enC $env:XBoxD1+$env:XBoxD2+$env:XBoxD3+$env:XBoxD4+$env:XBoxD5+$env:XBoxD6+$env:XBoxD7+$ env:XBoxD8+$env:XBoxD9+$env:XBoxD10+$env:XBoxD11+$env:XBoxD12

Graphic images

Fig. 1 Example of a chain of damage

https://cert.gov.ua/article/6278620

MITRE TTP :

  1. Spearphishing Attachment (T1566.001): The initial attempt to compromise the computer involves sending a malicious .rar file (“Suprovid.rar”) to a representative of the Defense Forces of Ukraine through Signal messenger. The file is disguised as necessary documentation for a position, making it a targeted spearphishing effort.
  2. Exploitation for Client Execution (T1203): The malicious archive contains an exploit for a known vulnerability in the WinRAR software (CVE-2023-38831). The exploitation of this vulnerability allows the attacker to execute arbitrary code on the victim’s machine.
  3. Command and Scripting Interpreter: PowerShell (T1059.001): After exploiting the WinRAR vulnerability, a CMD file (“support.pdf.cmd”) executes PowerShell scripts. These scripts are part of the COOKBOX malware, indicating the use of command-line scripting to perform actions on the system.
  4. Masquerading (T1036): The malicious CMD file is disguised as a PDF document (“support.pdf.cmd”), a common technique to trick users into executing the file by making it appear harmless.
  5. Deobfuscate/Decode Files or Information (T1140): The attack may involve decoding or deobfuscating scripts or other components within the malicious payload to evade detection.
  6. Ingress Tool Transfer (T1105): The delivery of the malicious file through Signal messenger represents the transfer of tools or other files into the targeted environment.
  7. Dynamic Resolution (T1568.002): The use of the NoIP dynamic DNS service to manage the command and control (C2) server for COOKBOX indicates dynamic DNS resolution techniques to obscure command and control infrastructure.
  8. Command and Control: Ingress Tool Transfer (T1105): The C2 infrastructure supports the transfer and execution of further malicious tools or commands after the initial compromise.
  9. Impair Defenses: Disable or Modify Tools (T1562): The recommendation for system administrators to block execution of utilities like PowerShell and other scripting tools is aimed at impairing an attacker’s ability to use these tools for further exploitation and maintaining persistence.
  10. Execution Prevention (using SRP, AppLocker, or registry settings): This is a proactive defensive technique recommended to block execution of potentially malicious scripts or applications, thus preventing certain types of malware from running.
Tags: EXPLOIT, PAYLOAD, PERSISTENCE, DNS, CVE, TOOL, GOVERNMENT, WINDOWS