Summary
Name: ‘Заборгованість по зарплаті.xls’
Discovered in March 2022
Was used in attacks against Ukrainian government agencies
Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware
Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script
‘.xls’ file contains the encoded payload
Extracted file has PE64 format and written in Golang, downloads one file from the remote server
The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.
The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021.