State-Linked Spear-Phishing Campaign Targeting Government, Military Personnel
Belarus state-linked hackers are targeting government and military entities in both Ukraine and Poland with spear-phishing campaigns that deliver remote access Trojans.
“The threat actor’s goals is information stealing and remote control of targeted systems,” said researchers at cybersecurity firm Cisco Talos.
Cisco Talos said it had found the payload deployment of info-stealing njRAT malware this month while analyzing the latest espionage campaign against the two countries. The threat actor has been active since as early as April 2022.
The Computer Emergency Response Team of Ukraine recently attributed the July incidents to the hacker group Ghostwriter (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).
Also known as UNC1151 by Mandiant, the hackers have close ties with the Belarusian government, which emerged as the closest ally of Russia after its invasion of Ukraine in February 2022.
The group typically relies on highly targeted spear-phishing campaigns that drop info stealers to phish email credentials, exfiltrate website admin panel credentials and distribute secondary malware, including RATs such as AgentTesla and njRAT.
In the campaign observed by Cisco Talos, attackers deployed a multistage infection. The attack chain began with malicious email attachments typically containing Microsoft Excel and PowerPoint file formats.
CERT-UA and Cisco Talos said the files imitated Ukraine’s Ministry of Defense, Poland’s Ministry of National Defense and the State Treasury Service of Ukraine as a lure to open and enable macros leading to the running of malicious code in the background. For example, one of the Excel documents was designed to forge a form used to calculate the salary payments of soldiers of a specific military unit.
Cisco Talos also observed the use of Excel spreadsheets masquerading as value-added tax return forms that executed malicious VBA code. “All campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments,” Cisco Talos said. “In most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a malicious PowerPoint OLE2 file was used, possibly indicating the actor’s readiness to use file formats less commonly used in attacks.”
The VBA code is responsible for loading a downloader malware called PicassoLoader, which further deploys a secondary payload including the AgentTesla remote access Trojan, njRAT and Cobalt Strike beacons, which are used to maintain persistence and exfiltrate data from the victim’s system.
Another Trojan – SmokeLoader
In recent months, threat actors targeting Ukraine and its allies have been experimenting with different file formats and phishing lures to avoid detection. On Thursday, CERT-UA recorded another mass campaign that had the lure of “Bill” receipts and contained a ZIP file –
Act_Zvirky_ta_rach.fakt_vid_12_07_2023.zip – as an attachment.
The attackers again likely used compromised email accounts to distribute these phishing emails. Opening the ZIP file eventually led to the download and execution of SmokeLoader malware, a large family of Trojans known since 2011 that load additional malware and have plug-ins for information exfiltration (see: Ukrainian CERT Warns of New SmokeLoader Campaign).
Unlike other threat groups that deploy RATs for espionage, the threat actor using ZIP files – tracked as UAC-0006 – is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments, CERT-UA said.