Recent attacks by the Ghostwriter campaign have targeted opposition activists in Belarus and Ukrainian government and military organizations using weaponized Excel files. The ongoing cyber espionage operation utilizes sophisticated techniques involving malware hidden within documents. Affected: Belarusian government opposition, Ukrainian military, Ukrainian government
Keypoints :
- SentinelLABS observed a campaign targeting Belarus opposition activists and Ukrainian entities.
- The activity, part of the long-running Ghostwriter campaign, escalated from preparation phases in mid-2024 to active attacks by late 2024.
- Weaponized Excel documents were leveraged to deliver malicious payloads like PicassoLoader and Cobalt Strike.
- New lures included themes related to political prisoners and anti-corruption initiatives.
- Malware utilized obfuscated VBA macros and DLLs to execute payload deliveries.
- The presence of benign JPEG files as decoys was noted in the attack chain to mask malicious activities.
- Ghostwriter has shown adaptability in delivery methods and payloads to evade detection.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Malicious Excel documents executed upon user interaction, enabling further payload deployment.
- T1059 – Command and Scripting Interpreter: Use of obfuscated VBA macros for executing commands to load malicious payloads.
- T1036 – Masquerading: Use of legitimate-looking file names and email addresses to deceive users into interacting with malware.
- T1071.001 – Application Layer Protocol: Malicious HTTP requests to download additional payloads and use legitimate-user agent strings.
Indicator of Compromise :
- [SHA-1] 18151b3801bd716b5a33cfc85dbdc4ba84a00314 (temp.xlsx)
- [SHA-1] 301ffdf0c7b67e01fd2119c321e7ae09b7835afc (Zrazok.xls)
- [SHA-1] 9d110879d101bcaec7accc3001295a53dc33371f (Донесення 5 реч – зразок.xls)
- [SHA-1] 2c06c01f9261fe80b627695a0ed746aa8f1f3744 (Донесення 5 реч фонд зборів- зразок.xls)
- [SHA-1] ebb30fd99c2e6cbae392c337df5876759e53730d (политзаключенные (по судам минска).xls)