New Ghostwriter Campaign Targets Ukrainian Government and Opposition Activists in Belarus
A new variant of the PicassoLoader toolkit has been spotted in a Ghostwriter campaign targeting Ukrainian government entities, military organizations, and opposition activists in Belarus. SentinelLABS, a cybersecurity research firm, uncovered the threat actor's latest tactic in a report published earlier this year.
The attack began with a phishing email containing a link to a Google Drive folder, where the recipient was prompted to download a malicious Excel workbook named "Political prisoners (across courts of Minsk).xls". The file contained an obfuscated VBA macro that, upon execution, dropped Realtek(r)Audio.dll in %Temp% and launched it via regsvr32.exe. This led to the deployment of a .NET assembly containing a stripped-down PicassoDownloader variant linked to Ghostwriter.
The downloader used a clever evasion technique, altering its own PE header in memory and breaking internal links to the .NET assembly. This made it impossible for security products to parse it as a .NET module. The malicious code also modified additional code in memory and decrypted further code to evade detection.
The attackers used a decoy Excel file, titled "temp.xlsx", which was opened by the victim in an attempt to make them believe it contained the original content of the "politizakliche (po sudam Minsk).xls" file. Meanwhile, additional payloads downloaded in the background via steganography.
The attack appears to be an extension of the long-running Ghostwriter campaign, which has been linked to Russian security interests since at least March 2017. The threat actor is believed to be tied to the Belarusian government and has mounted multiple attacks against Ukrainian targets throughout 2024.
"The Ghostwriter threat actor has been consistently active in the past years and continues its attempts to compromise targets aligned with the interests of Belarus and its closest ally, Russia," concludes the report. "This campaign serves as confirmation that Ghostwriter is closely tied with the interests of the Belarusian government waging an aggressive pursuit of its opposition and organizations associated with it."
According to SentinelLABS, the attack chain used in this campaign highlights a shift in Ghostwriter's targeting towards Belarusian opposition activists. The use of weaponized Microsoft Excel documents as lures marks a new tactic for the threat actor.
The researchers also noted that the URLs used by the attackers are now inactive, suggesting that the campaigns may have been shortened or terminated. However, the attack attribution is still based on the use of PicassoLoader, a downloader toolkit linked to Ghostwriter.
In 2024, APT groups deployed Excel workbooks with Macropack-obfuscated VBA macros and .NET downloaders obfuscated with ConfuserEx. This variant appears to be a simplified version of PicassoLoader. The new campaign serves as another example of the evolving tactics used by state-sponsored actors in the cyber threat landscape.
"Belarus doesn't actively participate in military campaigns in the war in Ukraine, but cyber threat actors associated with it appear to have no reservation about conducting cyber espionage operations against Ukrainian targets," concludes the report. "The campaign described in this publication also serves as confirmation that Ghostwriter is closely tied with the interests of the Belarusian government waging an aggressive pursuit of its opposition and organizations associated with it."
Stay ahead of the threats: Follow me on Twitter @securityaffairs, Facebook, and Mastodon for the latest security news and updates.