March 14th, 2022: Threat Group Delivers Cobalt Strike Through AV Updates

The Ukrainian Computer Emergency Response Team alerted users to a phishing campaign impersonating the Ukrainian government. The campaign prompts potential victims into downloading fraudulent "critical security updates" to ultimately deliver a Cobalt Strike beacon. The alerted activity has been observed by the MalwareHunterTeam and is reported by BleepingComputer. The phishing email contains a malicious link that downloads a executable masquerading as "itdefenderWindowsUpdatePackage.exe'' and when executed, prompts itself to "installing the Windows update package" however, if installed the user actually downloads a Cobalt Strike beacon from Discord. Additional backdoors are dropped on the victim host, establishing persistence, conducting reconnaissance and command execution to achieve the threat actor's objective. The Ukrainian Computer Emergency Response Team attributed this threat activity with medium confidence to the Russian threat group, UAC-0056/Lorec53.