Introduction
A recent surge in cyber-attacks attributed to the Ghostwriter threat actor has been observed [2] [3], with a primary focus on Ukraine and opposition groups in Belarus. This group, linked to the Belarusian government [1] [2] [3], has refined its tactics to include weaponized Excel documents in phishing campaigns [1], posing significant threats to governmental and political entities in the region.
Description
A new wave of cyber-attacks linked to the Ghostwriter threat actor has emerged [2] [3], primarily targeting Ukraine and opposition groups in Belarus [1] [2] [3]. This cyber-espionage group [1] [2] [3], associated with the Belarusian government [1] [2] [3], has evolved its tactics to utilize weaponized Excel documents for phishing campaigns [1]. By embedding obfuscated VBA macros within these spreadsheets [1] [3], Ghostwriter aims to deliver malicious payloads effectively [1]. Recent findings have identified new malware variants [3], including PicassoLoader and a downloader [2] [3], focusing on Ukrainian governmental bodies and Belarusian opposition figures [1] [2] [3].
One notable attack involved a document titled “Political Prisoners in Minsk Courts,” disseminated through a phishing email containing a Google Drive link that led to a malicious RAR archive with an infected Excel workbook [3]. When the workbook was opened, its VBA macro executed commands that wrote a disguised DLL file (Realtek(r)Audio.dll) to the system [2] [3], running it using regsvr32.exe and loading a .NET assembly to download additional payloads [2] [3]. Another attack targeted Ukrainian officials with a document named “Anti-Corruption Initiative,” employing similar tactics [1], including a downloader disguised as a legitimate Windows process and domain spoofing to deceive security systems [2] [3].
Ghostwriter has demonstrated advanced stealth techniques [1], incorporating obfuscation methods that modify memory structures and alter portable executable (PE) headers to evade detection [2] [3]. Specific patterns consistent with past Ghostwriter operations have been identified [2] [3], including the use of PicassoLoader malware and obfuscation tools like ConfuserEx and Macropack [2] [3]. The group’s strategic targeting aligns with Belarusian governmental interests [1] [2] [3], highlighting the geopolitical motivations behind their operations [1]. While no direct evidence links these attacks to Russia [2] [3], the focus on Ukraine suggests a broader geopolitical strategy [2] [3].
The use of weaponized Excel documents is particularly concerning due to their prevalence in business and governmental communication [1], making them effective vectors for cyber attacks [1]. The adaptability of malware variants like PicassoLoader indicates a high level of sophistication and strategic planning within the Ghostwriter group [1], necessitating advanced detection and response capabilities in cybersecurity frameworks [1].
Ghostwriter remains a persistent threat [2] [3], and governments [1] [2] [3], NGOs [2] [3], and private organizations operating in Eastern Europe should stay vigilant against these evolving cyber tactics [2] [3]. The timing of the campaign coincides with Belarus’ presidential elections [2] [3], suggesting an effort to conduct cyber-espionage while suppressing political opposition [2] [3].
Conclusion
The Ghostwriter threat actor’s recent activities underscore the evolving nature of cyber threats in Eastern Europe, particularly against political and governmental targets. The use of sophisticated techniques, such as weaponized Excel documents and advanced obfuscation methods, highlights the need for enhanced cybersecurity measures. Organizations must prioritize the development of robust detection and response strategies to mitigate these threats. As geopolitical tensions persist, the likelihood of continued cyber-espionage activities remains high, necessitating ongoing vigilance and adaptation in cybersecurity practices.
References
[1] https://undercodenews.com/rising-threats-the-evolving-tactics-of-ghostwriter-cyber-attacks/
[2] https://www.infosecurity-magazine.com/news/ghostwriter-cyber-attack-targets/
[3] https://ciso2ciso.com/ghostwriter-cyber-attack-targets-ukrainian-belarusian-opposition-source-www-infosecurity-magazine-com/
