Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability

April 28, 2024

Deep Instinct Threat Lab has detected a targeted cyber operation against Ukraine that exploits a nearly seven-year-old vulnerability in Microsoft Office. The vulnerability is used to deploy Cobalt Strike, a post-exploitation tool, on compromised systems.

The researchers found a malicious PPSX (PowerPoint Slideshow) file that had been uploaded from Ukraine to VirusTotal in late 2023. Despite being labeled as shared via the Signal app, the file might not have been initially sent through this platform. Interestingly, the PPSX file appears to be an outdated US Army manual for tank mine clearing blades.

This file contains a remote link to an external OLE object. The use of the 'script:' prefix in this link indicates the exploitation of the vulnerability CVE-2017-8570, which is a bypass for CVE-2017-0199. The remote script, named 'widget_iframe.617766616773726468746672726a6834.html,' was hosted on the domain 'weavesilk[.]space,' which is protected by CloudFlare. However, the actual hosting behind the domain was traced to a Russian VPS provider. The scriptlet's contents are heavily obfuscated.

The second stage of the attack involves a dropper, an HTML file containing JavaScript code that is executed via Windows cscript.exe. This script establishes persistence, decodes, and saves the embedded payload to disk, where it is disguised as a Cisco AnyConnect VPN file. The payload includes a dynamic-link library (vpn.sessings) that injects the Cobalt Strike Beacon into memory and waits for commands from the C2 server.

It was found that the threat actors used a cracked version of Cobalt Strike. The DLL also has features that help it evade detection and hinder analysis by security experts. Deep Instinct Threat Lab was unable to attribute the attacks to any known threat actor. Evidence collected by the experts shows that the sample originated from Ukraine, the second stage was hosted by a Russian VPS provider, and the Cobalt beacon C&C was registered in Warsaw, Poland.

According to the report, 'The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (http://weavesilk.com) and a popular photography site (https://petapixel.com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.' The report concludes, 'As of the day of discovery, the loader was undetectable by most engines, while Deep Instinct prevented it on day 0.' The report also includes Indicators of Compromise (IoCs).

Latest News

• CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog
• North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
• Critical Vulnerability in Over 1,400 CrushFTP Servers Actively Exploited
• CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28
• Government Networks Worldwide Breached by ArcaneDoor Hackers Exploiting Cisco Zero-Days