Opposition activists in Belarus in addition to Ukrainian army and executive organizations are the objective of a brand new marketing campaign that employs malware-laced Microsoft Excel paperwork as lures to ship a brand new variant of PicassoLoader.
The danger cluster has been assessed to be an extension of a long-running marketing campaign fixed via a Belarus-aligned danger actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016. It is identified to align with Russian safety pursuits and advertise narratives important of NATO.
“The marketing campaign has been in preparation since July-August 2024 and entered the lively segment in November-December 2024,” SentinelOne researcher Tom Hegel mentioned in a technical record shared with The Hacker Information. “Contemporary malware samples and command-and-control (C2) infrastructure process point out that the operation stays lively in fresh days.”
The place to begin of the assault chain analyzed via the cybersecurity corporate is a Google Power shared report that originated from an account named Vladimir Nikiforech and hosted a RAR archive.
The RAT document features a malicious Excel workbook, which, when opened, triggers the execution of an obfuscated macro when potential sufferers permit macros to be run. The macro proceeds to jot down a DLL document that in the end paves the way in which for a simplified model of PicassoLoader.
Within the subsequent segment, a decoy Excel document is exhibited to the sufferer, whilst, within the background, further payloads are downloaded onto the gadget. As just lately as June 2024, this means was once used to ship the Cobalt Strike post-exploitation framework.
SentinelOne mentioned it additionally found out different weaponized Excel paperwork bearing Ukraine-themed lures to retrieve an unknown second-stage malware from a far flung URL (“sciencealert[.]store”) within the type of a apparently risk free JPG symbol, a method referred to as steganography. The URLs are now not to be had.
In some other example, the booby-trapped Excel report is used to ship a DLL named LibCMD, which is designed to run cmd.exe and connect with stdin/stdout. It is without delay loaded into reminiscence as a .NET meeting and finished.
“All over 2024, Ghostwriter has many times used a mixture of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx,” Hegel mentioned.
“Whilst Belarus does not actively take part in army campaigns within the warfare in Ukraine, cyber danger actors related to it seem to have no reservation about accomplishing cyber espionage operations towards Ukrainian objectives.”