Fake antivirus updates used to deploy malware in Ukraine

Ukraine’s Computer Emergency Response Team (CERT-UA) warned that threat actors are using fake Windows antivirus updates to install Cobalt Strike and other malware in Ukraine. The phishing emails, which impersonate Ukrainian government agencies, propose a way to increase network security and advise recipients to download the BitdefenderWindowsUpdatePackage.exe., falsely dubbed a ‘critical security update’. 

When executed, the malware downloads and installs a Cobalt Strike beacon. The malware also downloads a Go downloader (dropper.exe), which then decodes and executes a secondary file (java-sdk.exe). This secondary file modifies the registry of the infected system to establish persistence and downloads two additional payloads, the GraphSteel backdoor (microsoft-cortana.exe) and the GrimPlant backdoor (oracle-java.exe).

CERT-UA associates the malicious activity with the UAC-0056 group, also known as ‘Lorec53’, a sophisticated Russian-speaking threat group, with medium confidence.