Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems.
The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT.
“The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats,” Cisco Talos researcher Vanja Svajcer said in a new report. “This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.”
Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the Belarusian government.
It’s worth noting that a subset of these attacks has already been documented over the past year by Ukraine’s Computer Emergency Response Team (CERT-UA) and Fortinet FortiGuard Labs, one of which employed macro-laden PowerPoint documents to deliver Agent Tesla malware in July 2022.
The infection chains aim to convince victims to enable macros, with the VBA macro engineered to drop a DLL downloader known as PicassoLoader that subsequently reaches out to an attacker-controlled site to fetch the next-stage payload, a legitimate image file that embeds the final malware.
The disclosure comes as CERT-UA detailed a number of phishing operations distributing the SmokeLoader malware as well as a smishing attack designed to gain unauthorized control of targets’ Telegram accounts.
Last month, CERT-UA disclosed a cyber espionage campaign aimed at state organizations and media representatives in Ukraine that makes use of email and instant messengers to distribute files, which, when launched, results in the execution of a PowerShell script called LONEPAGE to fetch next-stage browser stealer (THUMBCHOP) and keylogger (CLOGFLAG) payloads.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
GhostWriter is one among the many threat actors that have set their sights on Ukraine. This also includes the Russian nation-state group APT28, which has been observed using HTML attachments in phishing emails that prompt recipients to change their UKR.NET and Yahoo! passwords due to suspicious activity detected in their accounts so as to redirect them to bogus landing pages that ultimately steal their credentials.
The development also follows the adoption of a “standard five-phase playbook” by hackers associated with the Russian military intelligence (GRU) in their disruptive operations against Ukraine in a “deliberate effort to increase the speed, scale, and intensity” of their attacks.
This comprises taking advantage of living-on-the-edge infrastructure to gain initial access, using living-off-the-land techniques to conduct reconnaissance, lateral movement and information theft to limit their malware footprint and evade detection, creating persistent, privileged access via group policy objects (GPO), deploying wipers, and telegraphing their acts via hacktivist personas on Telegram.
“The benefits the playbook affords are notably suited for a fast-paced and highly contested operating environment, indicating that Russia’s wartime goals have likely guided the GRU’s chosen tactical courses of action,” Google-owned Mandiant said.