The Ukrainian Computer Emergency Response Group has warned about attackers who distribute fake updates of Windows antivirus software in order to install Cobalt Strike beacons and other malware.
Cybercriminals impersonate Ukrainian government agencies in phishing emails, offering ways to improve network security, and advise recipients to download “critical security updates.” The letter contains a link to a French website for downloading antivirus software updates in the form of a 60 MB file with the name BitdefenderWindowsUpdatePackage.exe .
The fake update actually downloads and installs the file one.exe from CDN Discord, which is the beacon of Cobalt Strike. Cobalt Strike is a widely used penetration testing package offering offensive security capabilities, facilitating network movement and ensuring persistence.
The same process installs the loader in the Go language (dropper.exe ), which decodes and executes a base-64 encoded file (java-sdk.exe ). The file adds a new Windows registry key to attach to the victim’s system, and also loads two more payloads: GraphSteel backdoors (microsoft-cortana.exe) and GrimPlant (oracle-java.exe ). All executable files in the course of this malicious campaign are packaged in the Themida tool, which protects them from reverse engineering, detection and analysis. The tools’ capabilities include network intelligence, command execution, and file operations.
The Ukrainian Computer Incident Response Team linked the detected cyber threat to the UAC-0056 group (also known as Lorec53)— a Russian-language APT group that uses a combination of phishing emails and special backdoors to steal information from Ukrainian organizations.