Number of visits, average time spent on the website and what pages have been Know when you have visited our site, and will not be able to monitorĬollects anonymous data related to the user's visits to the website, such as the If you do not allow these cookies we will not
Which pages are the most and least popular and see how visitors moveĪll information these cookies collect is aggregatedĪnd therefore anonymous. Measure and improve the performance of our site. These cookies allow us to count visits and traffic sources so we can To gain insights into the context of the cyber-attacks attributed to the activity of the UAC-0056 group targeting Ukrainian government officials, all above-referenced Sigma rules are aligned with the MITRE ATT&CK® framework addressing the corresponding tactics and techniques: Browse SOC Prime’s cyber threats search engine to instantly drill down to the list of Sigma rules to detect the malicious activity of UAC-0056 threat actors along with in-depth contextual metadata, like MITRE ATT&CK® and CTI references, CVE descriptions, and more relevant threat context.ĭetect & Hunt Explore Threat Context MITRE ATT&CK® Context To obtain the entire list of detection rules and hunting queries enabling cybersecurity experts to timely identify the malicious Cobalt Strike Beacon presence in their environment, click the Detect & Hunt button below. Sigma rules to detect the malicious activity of the UAC-0056 group To instantly access the detection algorithms, follow the link below after signing up or logging into SOC Prime’s platform: For a streamlined search for relevant detection content, all Sigma rules are tagged as #UAC-0056 based on the adversary activity attributed to this most recent cyber-attack covered in the CERT-UA#4914 alert.
#COBALT STRIKE MALWARE CODE#
To assist cyber defenders in proactive detection and mitigation of the malicious activity associated with the latest attack against Ukrainian government entities, SOC Prime’s Detection as Code platform offers a batch of curated Sigma rules. Detecting UAC-0056 Activity: Sigma Rules to Spot New Attacks Against Ukrainian Government
#COBALT STRIKE MALWARE WINDOWS#
Additionally, “write.exe” ensures persistence by creating a “Check License” key in the Windows registry.ĭuring the next stage of the attack, the PowerShell script circumvents AMSI, disables event logging for PowerShell, and ensures decoding and extraction of the second-stage PowerShell script aimed at Cobalt Strike Beacon infection. CERT-UA analysis shows that this file acts as a dropper to trigger a PowerShell script. In case the user is tricked to open the document and enable an embedded macro, a malicious “write.exe” file is executed on the infected instance. The attack kill chain starts with a phishing email containing military-related lures and having a malicious XLS document attached.
The latest cyber-attack reported by CERT-UA shares similarities with the previous incident leveraging the same attack vector and applying the identical behavior patterns that can be attributed to the activity of the UAC-0056 group. Cobalt Strike Beacon Distribution: CERT-UA Details the Latest UAC-0056 Attack Against UkraineĮarlier, in March 2022, CERT-UA researchers observed the activity of the UAC-0056 hacking group spreading Cobalt Strike Beacon along with other malware strains in a phishing campaign against Ukrainian government entities. The ongoing cyber-attack involves the mass distribution of emails with a lure subject and an XLS file attachment containing a malicious macro that leads to spreading Cobalt Strike Beacon malware infection on a compromised system.
On July 6, 2022, CERT-UA released an alert warning of a new malicious email campaign targeting Ukrainian government entities. The notorious Cobalt Strike Beacon malware has been actively distributed by multiple hacking collectives in spring 2022 as part of the ongoing cyber war against Ukraine, mainly leveraged in targeted phishing attacks on Ukrainian state bodies. Detecting UAC-0056 Activity: Sigma Rules to Spot New Attacks Against Ukrainian Government.Cobalt Strike Beacon Distribution: CERT-UA Details the Latest UAC-0056 Attack Against Ukraine.
0 kommentar(er)
