Opposition activists in Belarus in addition to Ukrainian army and authorities organizations are the goal of a brand new marketing campaign that employs malware-laced Microsoft Excel paperwork as lures to ship a brand new variant of PicassoLoader.
The menace cluster has been assessed to be an extension of a long-running marketing campaign mounted by a Belarus-aligned menace actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016. It is known to align with Russian safety pursuits and promote narratives vital of NATO.
“The marketing campaign has been in preparation since July-August 2024 and entered the energetic section in November-December 2024,” SentinelOne researcher Tom Hegel said in a technical report shared with The Hacker Information. “Latest malware samples and command-and-control (C2) infrastructure exercise point out that the operation stays energetic in current days.”
The place to begin of the assault chain analyzed by the cybersecurity firm is a Google Drive shared doc that originated from an account named Vladimir Nikiforech and hosted a RAR archive.
The RAT file features a malicious Excel workbook, which, when opened, triggers the execution of an obfuscated macro when potential victims allow macros to be run. The macro proceeds to put in writing a DLL file that in the end paves the way in which for a simplified model of PicassoLoader.
Within the subsequent section, a decoy Excel file is exhibited to the sufferer, whereas, within the background, further payloads are downloaded onto the system. As lately as June 2024, this strategy was used to ship the Cobalt Strike post-exploitation framework.
SentinelOne mentioned it additionally found different weaponized Excel paperwork bearing Ukraine-themed lures to retrieve an unknown second-stage malware from a distant URL (“sciencealert[.]store”) within the type of a seemingly innocent JPG picture, a way often known as steganography. The URLs are not out there.
In one other occasion, the booby-trapped Excel doc is used to ship a DLL named LibCMD, which is designed to run cmd.exe and connect with stdin/stdout. It is straight loaded into reminiscence as a .NET meeting and executed.
“All through 2024, Ghostwriter has repeatedly used a mix of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx,” Hegel mentioned.
“Whereas Belarus does not actively take part in army campaigns within the warfare in Ukraine, cyber menace actors related to it seem to haven’t any reservation about conducting cyber espionage operations towards Ukrainian targets.”
Source link