Talos identifies UNC1151/GhostWriter-led campaigns targeting Ukraine and Poland’s government, military, and civilians to steal information and maintain persistent remote access. The operations span from April 2022 to at least July 2023, with attribution tying the activity to GhostWriter linked to the Belarusian government. Hashtags: #UNC1151 #GhostWriter
Keypoints
- Campaigns target Ukrainian and Polish government and military entities, as well as civilians, with information-stealing and persistence objectives.
- Activity ranges from April 2022 through at least July 2023; CERT-UA attributes the July campaign to UNC1151 as part of GhostWriter operations.
- Attacks use a multistage infection chain starting with malicious Microsoft Office documents (Excel and PowerPoint) designed to prompt macro execution.
- Final payloads include AgentTesla, Cobalt Strike beacons, and njRAT, indicating both information theft and remote access capability.
- Lures imitate official-looking images/text (e.g., ministries) to entice macro enabling; some PowerPoint lures run VBA even without visible slides.
- The VBA is obfuscated, uses randomization, and drops DLL/shortcuts (LNK) launched via regsvr32 or rundll32 to load the next stage.
- The downloader retrieves an image containing an encrypted next-stage blob; ConfuserEx and various crypto methods (AES Rijndael, RC4) are used to decrypt and load the payload.
- In addition to governmental targets, Polish/Ukrainian businesses and general users are exposed via lures such as fake VAT forms and macro-enabling instructions.
MITRE Techniques
- [T1566.001] Phishing – Lures delivered through malicious Microsoft Office documents (Excel/PPT) prompting macro enablement. ‘The content of Excel and PowerPoint lures that include official-looking images and text’ and ‘the purpose of these socially engineered lures is to convince the targeted users to enable macros.’
- [T1059.005] Visual Basic – The infection chain begins with VBA macros in Excel/PowerPoint used to decode the next stage. ‘The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity.’
- [T1027] Obfuscated/Compressed Files and Information – VBA code is obfuscated with an obfuscator script to hinder analysis. ‘the code is obfuscated, using an obfuscator script.’
- [T1218.011] Regsvr32 – The dropper creates a DLL and a shortcut that uses regsvr32.exe to launch the next stage. ‘creates a randomly named dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly named shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.’
- [T1036] Masquerading – Lures imitate Ukraine’s MoD and Poland’s MoD, leveraging official branding to appear legitimate. ‘the lures imitate Ukraine’s Ministry of Defence and Poland’s Ministry of National Defence.’
Indicators of Compromise
- [Signature] ClamAV signatures – Doc.Malware.Corona-10003975-0, Win.Downloader.DotNETEncryptedJPEG-10006210-0, and 16 more signatures (total of several signatures listed in the article)
Read more: https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/