Belarus-Linked Ghostwriter Utilizes Macropack-Obfuscated Excel Macros to Distribute Malware

Feb 25, 2025
Malware / Cyber Espionage

A new campaign targeting opposition activists in Belarus and Ukrainian military and government entities is using malware-laden Microsoft Excel documents to spread a new variant of PicassoLoader. This operation appears to be an extension of an ongoing effort by the Belarus-aligned threat actor known as Ghostwriter (also referred to as Moonscape, TA445, UAC-0057, and UNC1151), which has been active since 2016. Ghostwriter is believed to align with Russian security interests and promote anti-NATO narratives.

“Preparation for the campaign began in July-August 2024, with active operations starting in November-December 2024,” stated SentinelOne researcher Tom Hegel in a technical report shared with The Hacker News. “Recent findings regarding malware samples and command-and-control (C2) infrastructure suggest that the operation continues to be active.” The attack chain, as analyzed by the cybersecurity firm, is initiated via a Google Drive shared link.

Belarus-Linked Ghostwriter Exploits Obfuscated Excel Macros to Distribute Malware

February 25, 2025
Malware / Cyber Espionage

A newly uncovered cyber campaign has emerged, targeting opposition activists in Belarus alongside military and governmental entities in Ukraine. This operation utilizes malware-infused Microsoft Excel documents to disseminate a variant of PicassoLoader, a malicious payload designed to compromise systems and exfiltrate data. Analysts have linked this threat to Ghostwriter, a persistent Belarus-based threat actor also known as Moonscape, TA445, UAC-0057, and UNC1151. This group is believed to align with Russian state interests and actively disseminates disinformation critical of NATO.

The campaign, which went into an active phase in late 2024, follows a preparatory period that began in mid-2024. According to a report by SentinelOne researcher Tom Hegel published on The Hacker News, recent analyses of malware samples and command-and-control (C2) infrastructure reveal that the operation continues to be active. The initial point of the attack has been traced back to a Google Drive share, indicating that the actors are utilizing social engineering techniques to lure victims into opening the malicious files.

This development underscores a broader trend in cyber threats that leverage familiar document formats, such as Excel, to bypass security measures. By employing macros that are obfuscated via a technique known as Macropack, the attackers can evade detection by conventional security tools. Given the malware’s sophisticated nature, it is likely that various techniques outlined in the MITRE ATT&CK framework were employed throughout this attack cycle.

The tactics potentially involved in this campaign include initial access through phishing methods, persistence by embedding malicious code within documents, and command-and-control communication for data exfiltration. These practices reflect a strategic approach aimed at maintaining long-term access to compromised systems while minimizing the likelihood of detection.

The implications of this campaign are significant for anyone operating in the affected regions or engaging with targets linked to Belarus and Ukraine. Understanding these methodologies is critical for business owners and technology leaders as they seek to bolster their cybersecurity posture against similar threats.

As the geopolitical landscape continues to influence cyber activity, businesses must remain vigilant in monitoring potential incursions into their systems. The tactics and motivations of groups like Ghostwriter serve as a reminder of the evolving nature of cyber threats, emphasizing the need for robust defenses against sophisticated attacks using commonly utilized platforms.

Source link

Related Posts

Gcore DDoS Radar Report Highlights 56% Yearly Surge in DDoS Attacks

February 11, 2025
IoT Security / Cloud Security

The latest Gcore DDoS Radar report, which examines attack data from Q3 to Q4 2024, shows a staggering 56% year-over-year increase in DDoS attacks, with the largest recorded attack reaching 2 Tbps. The financial services sector experienced the most significant rise, with attacks jumping by 117%, while the gaming industry continued to be the primary target. These findings underscore the urgent need for robust and adaptive DDoS mitigation strategies as attacks grow both in frequency and precision.

Key Insights on the Future of DDoS Defense

Here are four crucial takeaways from the Gcore Radar report:

  1. Volume and Sophistication of DDoS Attacks on the Rise: A 17% increase in total attacks, coupled with a new peak volume of 2 Tbps, highlights the pressing necessity for advanced protective measures.

  2. Growing Risks for Financial Services: The 117% spike in attacks within this sector signals an urgent need for enhanced security protocols.

  3. Shift Towards Shorter, High-Intensity Attacks: The prevalence of rapid burst attacks necessitates a reevaluation of traditional mitigation strategies, which may no longer be sufficient.

Let’s explore the data in detail.

Microsoft Warns of Russian-Linked Hackers Using ‘Device Code Phishing’ to Compromise Accounts

February 14, 2025
Enterprise Security / Cyber Attack

Microsoft has highlighted a new threat group known as Storm-2372, linked to a series of cyberattacks that have targeted multiple sectors since August 2024. The attacks focus on government entities, NGOs, IT services, defense, telecommunications, healthcare, higher education, and the energy sector across Europe, North America, Africa, and the Middle East.

Evaluated with medium confidence to align with Russian interests, the threat actors utilize messaging platforms such as WhatsApp, Signal, and Microsoft Teams. They impersonate notable figures relevant to their targets to gain trust. The attacks employ a phishing method known as ‘device code phishing,’ which deceives users into logging into productivity applications, allowing the actors to capture the login tokens for malicious use.