Belarusian opposition activists and Ukrainian military and government agencies are targets for a new campaign to adopt malware-covered Microsoft Excel documents as lures to provide a new variant of Picassoroder.
The Threat Cluster has been rated as an extension of a long-term campaign fitted by Belarusian threat actors called Threat Actors (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016 Masu. It is known to coincide with Russia’s security interests. It promotes narratives critical of NATO.
“The campaign was prepared in July-August 2024 and entered the active phase from November-December 2024,” Sentinelone researcher Tom Hegel shared with Hacker News This was mentioned in the technical report. “Recent malware samples and command and control (C2) infrastructure activity indicate that recent operations are still active.”
The starting point for the attack chain, analyzed by cybersecurity companies, is a Google Drive Shared document originating from an account named Vladimir Nikiforech and hosting the RAR archive.
The rat file contains malicious Excel workbooks. This triggers the execution of obfuscated macros when opened, allowing future victims to run the macros. The macro will eventually proceed to writing DLL files that open the way to a simplified version of Picasso Roder.
In the next stage, the Dicoy Excel file will be displayed to the victim, but in the background, an additional payload will be downloaded to the system. In June 2024, we used this approach to provide a post-explosion framework after cobalt strike.
Sentinelone said he also discovered other weaponized Excel documents, including Ukrainian-themed lures, to retrieve unknown stage 2 malware from the remote URL (“Sciencealert[.]Shop “) A technique known as steganography in the form of seemingly harmless JPG images. URLs are no longer available.
Another example uses an Excel document trapped in a booby to deliver a dll named libcmd, designed to run cmd.exe and connect to stdin/stdout. It is loaded directly into memory as a .NET assembly and executed.
“Throughout 2024, Ghostwriters repeatedly used combinations of Excel workbooks that contain Macropack-obfuscated VBA macros and dropped obfuscated embedded .NET download devices in Confuserex,” Hegel said.
“Belarus is not actively involved in military campaigns in the war in Ukraine, but it appears that cyber threat actors associated with it will not make a reservation on carrying out cyber espionage activities against Ukrainian targets.”
Source link
