The Cyber Command of the State Special Communications Service CERT-UA has discovered new targeted cyberattacks on representatives of the Defense Forces of Ukraine. The main goal is to install a fully functional CABINETRAT backdoor to gain remote control over the affected system.
The Cyber Command of the State Special Communications Service CERT-UA has discovered new targeted cyberattacks on representatives of the Defense Forces of Ukraine. The main goal is to install a fully functional CABINETRAT backdoor to gain remote control over the affected system.
The attackers, known as UAC-0245, are attacking computers using malicious XLL files that impersonate important documents, such as "UBD Request.xll" or border protocols. These files are distributed, in particular, through the Signal messenger, the State Special Communications Service reports .
An attack via XLL files is more dangerous than via typical Word documents because these files are executable programs.
When a user opens such a file in Excel, a multi-stage infection process is activated: auxiliary files are created, including an executable launcher file (runner.exe) and an XLL add-in (loader.xll), which is placed in the Excel startup folder. Fixation in the system is carried out through entries in the system registry and settings of scheduled tasks.
"The ultimate goal of this chain is to launch a hidden Excel process, which automatically loads loader.xll. This file, in turn, reads and executes the main malicious component hidden in a regular PNG image. This shellcode is the CABINETRAT backdoor," cyber experts explain.
