Opposition activists in Belarus in addition to Ukrainian army and authorities organizations are the goal of a brand new marketing campaign that employs malware-laced Microsoft Excel paperwork as lures to ship a brand new variant of PicassoLoader.
The menace cluster has been assessed to be an extension of a long-running marketing campaign mounted by a Belarus-aligned menace actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016. It is known to align with Russian safety pursuits and promote narratives crucial of NATO.
“The marketing campaign has been in preparation since July-August 2024 and entered the lively part in November-December 2024,” SentinelOne researcher Tom Hegel said in a technical report shared with The Hacker Information. “Latest malware samples and command-and-control (C2) infrastructure exercise point out that the operation stays lively in latest days.”
The start line of the assault chain analyzed by the cybersecurity firm is a Google Drive shared doc that originated from an account named Vladimir Nikiforech and hosted a RAR archive.
The RAT file features a malicious Excel workbook, which, when opened, triggers the execution of an obfuscated macro when potential victims allow macros to be run. The macro proceeds to jot down a DLL file that finally paves the way in which for a simplified model of PicassoLoader.
Within the subsequent part, a decoy Excel file is exhibited to the sufferer, whereas, within the background, extra payloads are downloaded onto the system. As not too long ago as June 2024, this method was used to ship the Cobalt Strike post-exploitation framework.
SentinelOne stated it additionally found different weaponized Excel paperwork bearing Ukraine-themed lures to retrieve an unknown second-stage malware from a distant URL (“sciencealert[.]store”) within the type of a seemingly innocent JPG picture, a way often called steganography. The URLs are not out there.
In one other occasion, the booby-trapped Excel doc is used to ship a DLL named LibCMD, which is designed to run cmd.exe and connect with stdin/stdout. It is immediately loaded into reminiscence as a .NET meeting and executed.
“All through 2024, Ghostwriter has repeatedly used a mix of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx,” Hegel stated.
“Whereas Belarus would not actively take part in army campaigns within the warfare in Ukraine, cyber menace actors related to it seem to don’t have any reservation about conducting cyber espionage operations towards Ukrainian targets.”
