CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News - 3h
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.
ImgSrc: blogger.googleu
References :
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.
ImgSrc: blogger.googleu
Share:
References :
- bsky.app: After many reports on Ghostwriter's info-ops, SentinelOne has seen the group returning to malware delivery, this time with a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations
- Talkback Resources: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
- The Hacker News: Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware
- Talkback Resources: Talkback post on Excel Macros to Deploy Malware
Classification:
- HashTags: #Ghostwriter #Cyberespionage #Malware
- Company: Microsoft
- Target: Belarusian Opposition and Ukrainian Government
- Product: Microsoft Excel
- Feature: Malware Delivery
- Malware: PicassoLoader
- Type: Espionage
- Severity: Major