Top Mathematics discussions
info@thehackernews.com (The@The Hacker News - 2d
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.
ImgSrc: blogger.googleu
References :
- bsky.app: After many reports on Ghostwriter's info-ops, SentinelOne has seen the group returning to malware delivery, this time with a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations
- Talkback Resources: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
- The Hacker News: Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware
- Talkback Resources: Talkback post on Excel Macros to Deploy Malware
- Anonymous ???????? :af:: A new malware campaign targets Belarusian activists and the Ukrainian military, using Excel files to deliver PicassoLoader.
- Virus Bulletin: SentinelLABS researcher Tom Hegel writes about an extension of the long-running Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations with weaponized Excel documents lures.
- Information Security Buzz: Cybersecurity researchers at SentinelLABS have uncovered a new campaign linked to the long-running Ghostwriter operation, targeting Belarusian opposition activists and Ukrainian military and government entities.Â
- gbhackers.com: Ghostwriter Malware Targets Government Organizations with Weaponized XLS File
- securityaffairs.com: New Ghostwriter campaign targets Ukrainian Government and opposition activists in Belarus
- Know Your Adversary: 058. Hunting for Ghostwriter
Classification:
- HashTags: #Ghostwriter #Cyberespionage #Malware
- Company: Microsoft
- Target: Belarusian Opposition and Ukrainian Government
- Product: Microsoft Excel
- Feature: Malware Delivery
- Malware: PicassoLoader
- Type: Espionage
- Severity: Major