“`html
Ukrainian intelligence agencies have released an urgent alert concerning a complex malware operation directed at governmental and essential infrastructure sectors utilizing weaponized XLL files disseminated via compressed folders.
This nefarious campaign takes advantage of Microsoft Excel add-in files, embedding the CABINETRAT backdoor, marking a notable advancement in cyber attacks aimed at Ukrainian organizations.
The attack strategy consists of circulating zip folders that include XLL files with titles intended to invoke urgency and authenticity, such as “dodatok.xll” hidden within “500.zip” folders.
These files disguise themselves as documents related to border security events, capitalizing on existing geopolitical conflicts to enhance victim vulnerability.
Once activated, the malicious XLL files deliver a sophisticated multi-phase payload, establishing continuous access to compromised machines.
CERT-UA analysts observed the campaign’s intricate approach, identifying it as the effort of the threat group UAC-0245.
The malware showcases advanced evasion techniques and signals a troubling transition toward more sophisticated Office-based attack methods targeting Ukraine’s critical infrastructure.
The technical intricacy of the campaign and its targeting patterns imply state-sponsored origins, with considerable resources allocated to circumvent modern security measures.
Infection Mechanism and Persistence Strategy
The CABINETRAT malware utilizes a sophisticated multi-file deployment strategy that guarantees continual system access while avoiding detection systems.
Upon the initial execution of the XLL file through Excel’s xlAutoOpen function, it generates three separate components within the victim’s system: a randomly titled executable file of 15-20 characters (internally referred to as “runner.exe”) located in the Startup folder and %APPDATA%MicrosoftOffice, an XLL loader file named “BasicExcelMath.xll” situated in Excel’s XLSTART directory, and a PNG image “Office.png” embedding shellcode.
The persistence strategy functions through several redundant avenues to maintain ongoing system access.
The malware forms registry entries in the Windows Run key with randomized titles, sets up scheduled tasks executing every 12 hours with restricted privileges, and exploits Excel’s automatic add-in loading feature.
The runner executable initiates Excel in hidden mode with the “/embed” parameter, automatically activating the harmful BasicExcelMath.xll add-in without presenting visible Excel windows to users.
The entire infection sequence from the initial XLL execution to the final CABINETRAT deployment.
The malware incorporates wide-ranging anti-analysis tactics including BIOS fingerprint checks for virtualization signatures, processor core and memory threshold validation, CPUID timing analysis to identify sandboxed conditions, and PEB debugging flag checks.
These advanced evasion strategies illustrate the campaign’s sophisticated nature and commitment to evading security research initiatives.
“`