• caglararli@hotmail.com
  • 05386281520

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

This blog was authored by Roberto Santos and Hossein Jazi

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

Different themes, same techniques

Since the publication of our blog post There’s a Go Elephant in the room, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “Information on the availability of vacancies and their staffing.xls” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (Humanitarian catastrophe of Ukraine since February 24, 2022.xls) we see an almost identical macro to the one used in another decoy document called Help Ukraine.xls:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The Help Ukraine lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru. This document was contacting a suspiciously similar domain named excel-vba[.]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine!

Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (Information on the availability of vacancies and their staffing.xls). The analysis is still valid for the others, while minor changes exist between samples.


The document will download an executable file named write.bin. Other attacks following the same scheme used different names for this file, including Office.exe, baseupd.exe and DataSource.exe. The file is slightly obfuscated, and performs the following actions:

Establishing persistence

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

Dropping next stage

Next step is dropping a file in C:\ProgramData\TRYxaEbX.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:


96951aa5-4fab-4188-ad33-d72fcaa7aafe.png (565×466)
Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");


$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in C:\ProgramData\TRYxaEbX will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

  • Disable script logging
  • Disable Module Logging
  • Disable Transcription
  • Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

Cobalt Strike payload deployed

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

BeaconType                    – HTTPS

Port                              – 443

SleepTime                       – 30000

PublicKey_MD5              – defb5d95ce99e1ebbf421a1a38d9cb64

C2Server                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

UserAgent                       – Mozilla/5.0_Frsg_stredf_o21_rutyyyrui_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko_10984gap

HttpPostUri                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

Watermark                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

Attacker probes the sandbox

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

Attribution to UAC-0056

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.


Malicious Excel documents (Help Ukraine template)


Malicious Excel documents (Humanitarian template)




Cobalt Strike beacon and payloads


The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.