Ghostwriter Cyberattacks: Targeting Ukraine and Belarusian Opposition with Malicious Excel Files

Ghostwriter Threat Actor Overview

• 🎯 Ghostwriter is a threat actor with nearly a decade of activity, significantly increasing focus on the Ukraine region since the 2022 conflict.
• 🌍 Historically, Ghostwriter has targeted Western countries but has recently shifted to more domestic targeting within Belarus.
• 🔗 The group is believed to be operating within the Belarusian government, with potential collaborations with the Russian government.

Shifting Targeting Strategies

• 🇺🇦 The campaign targets Ukrainian government and military entities for intelligence gathering and espionage, a typical MO for the group.
• 🇧🇾 A secondary focus is on the Belarusian political opposition and human rights activists, aiming to push propaganda and disrupt domestic dissent.
• 🎭 This domestic targeting is seen as an evolution, becoming more direct in silencing opposition and blending information operations with malware delivery.

Technical Attack Vectors

• 📧 Attacks often begin with credential phishing or, more recently, strategic malware delivery via malicious documents hosted on platforms like Google Drive.
• 📄 Lures are highly specific to the target, often using Excel spreadsheets with heavily obfuscated VBA macro code.
• 📥 The macro code writes a DLL file to the temp directory, which then loads a downloader (Picasso loader) for further payload delivery.
• ⚙️ The malware establishes persistence on the victim's machine, ensuring it runs upon system startup.

Sophistication and Evasion Tactics

• 💡 While not highly sophisticated, the attacks are persistent and creative, focusing on workability and bypassing basic security measures.
• 💻 Sophistication lies in the final stages, where the malware rewrites itself in memory and uses obfuscation techniques to evade antivirus and EDR tools.
• 🎭 A fake lure document is presented to the victim after the malicious activity, masking the background processes and reducing suspicion.

Objectives and Impact

• 🕵️‍♂️ For Ukrainian targets, objectives include espionage, intelligence gathering, or providing access for more disruptive actors.
• 📢 For Belarusian targets, objectives range from monitoring political opposition activities to actively disrupting or silencing them.
• 📊 Gauging success is difficult; while information operations have been notably successful in spreading narratives, direct impact on elections or military intelligence is hard to measure.

Recommendations for Defense

• 📧 Email filtering is crucial, with strict controls on links to cloud storage and downloaded files.
• 🚫 Implementing strict controls on what can run on machines, blocking unknown executables or files from untrusted sources, is vital.
• 🛡️ Disabling macros helps, but attackers adapt; a multi-layered defense approach combining prevention, detection, and response is recommended.
• 🔒 Individuals, especially those in high-risk regions without advanced security tools, should use features like Apple's Lockdown Mode or equivalent Android protections.