Opposition activists in Belarus in addition to Ukrainian navy and authorities organizations are the goal of a brand new marketing campaign that employs malware-laced Microsoft Excel paperwork as lures to ship a brand new variant of PicassoLoader.
The risk cluster has been assessed to be an extension of a long-running marketing campaign mounted by a Belarus-aligned risk actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016. It is recognized to align with Russian security pursuits and promote narratives vital of NATO.
“The marketing campaign has been in preparation since July-August 2024 and entered the lively part in November-December 2024,” SentinelOne researcher Tom Hegel mentioned in a technical report shared with The Hacker Information. “Latest malware samples and command-and-control (C2) infrastructure exercise point out that the operation stays lively in current days.”
The start line of the assault chain analyzed by the cybersecurity firm is a Google Drive shared doc that originated from an account named Vladimir Nikiforech and hosted a RAR archive.
The RAT file features a malicious Excel workbook, which, when opened, triggers the execution of an obfuscated macro when potential victims allow macros to be run. The macro proceeds to jot down a DLL file that in the end paves the best way for a simplified model of PicassoLoader.
Within the subsequent part, a decoy Excel file is exhibited to the sufferer, whereas, within the background, further payloads are downloaded onto the system. As just lately as June 2024, this method was used to ship the Cobalt Strike post-exploitation framework.
SentinelOne mentioned it additionally found different weaponized Excel paperwork bearing Ukraine-themed lures to retrieve an unknown second-stage malware from a distant URL (“sciencealert[.]store”) within the type of a seemingly innocent JPG picture, a way referred to as steganography. The URLs are not out there.
In one other occasion, the booby-trapped Excel doc is used to ship a DLL named LibCMD, which is designed to run cmd.exe and hook up with stdin/stdout. It is immediately loaded into reminiscence as a .NET meeting and executed.
“All through 2024, Ghostwriter has repeatedly used a mixture of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx,” Hegel mentioned.
“Whereas Belarus would not actively take part in navy campaigns within the struggle in Ukraine, cyber risk actors related to it seem to haven’t any reservation about conducting cyber espionage operations in opposition to Ukrainian targets.”
