PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
14.7.23 Virus The Hacker News
Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems.
The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT.
"The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer said in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult."
Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the Belarusian government.
It's worth noting that a subset of these attacks has already been documented over the past year by Ukraine's Computer Emergency Response Team (CERT-UA) and Fortinet FortiGuard Labs, one of which employed macro-laden PowerPoint documents to deliver Agent Tesla malware in July 2022.
The infection chains aim to convince victims to enable macros, with the VBA macro engineered to drop a DLL downloader known as PicassoLoader that subsequently reaches out to an attacker-controlled site to fetch the next-stage payload, a legitimate image file that embeds the final malware.
The disclosure comes as CERT-UA detailed a number of phishing operations distributing the SmokeLoader malware as well as a smishing attack designed to gain unauthorized control of targets' Telegram accounts.
Last month, CERT-UA disclosed a cyber espionage campaign aimed at state organizations and media representatives in Ukraine that makes use of email and instant messengers to distribute files, which, when launched, results in the execution of a PowerShell script called LONEPAGE to fetch next-stage payloads such as a browser stealer (THUMBCHOP) and a keylogger (CLOGFLAG).
GhostWriter is one among the many threat actors that have set their sights on Ukraine. This also includes the Russian nation-state group APT28, which has been observed using HTML attachments in phishing emails that prompt recipients to change their UKR.NET and Yahoo! passwords due to suspicious activity detected in their accounts so as to redirect them to bogus landing pages that ultimately steal their credentials.
The development also follows the adoption of a "standard five-phase playbook" by hackers associated with the Russian military intelligence (GRU) in their disruptive operations against Ukraine in a "deliberate effort to increase the speed, scale, and intensity" of their attacks.
This comprises taking advantage of living-on-the-edge infrastructure to gain initial access, using living-off-the-land techniques to conduct reconnaissance, lateral movement and information theft to limit their malware footprint and evade detection, creating persistent, privileged access via group policy objects (GPO), deploying wipers, and telegraphing their acts via hacktivist personas on Telegram.
"The benefits the playbook affords are notably suited for a fast-paced and highly contested operating environment, indicating that Russia's wartime goals have likely guided the GRU's chosen tactical courses of action," Google-owned Mandiant said.
Coinciding with these unabated attack waves is a tailored phishing campaign orchestrated by APT29 to target at least 22 diplomatic missions within Ukraine using vehicle-themed lures since May 2023. Also called Cloaked Ursa, Cozy Bear, or Midnight Blizzard, the group is publicly attributed to Russia's Foreign Intelligence Service (SVR).
The attacks "use the legitimate sale of a BMW to target diplomats in Kyiv, Ukraine, as its jumping off point," Palo Alto Networks Unit 42 said, with the threat actor repurposing a flyer originally sent by a diplomat within the Polish Ministry of Foreign Affairs to various embassies to pull off the scheme.
The email messages embed a link that claims to offer "more high quality photos" of the car, but, when clicked, results in the download of malware that beacons to Dropbox and Microsoft Graph API-based command-and-control (C2) servers for follow-on activities, a known hallmark of the state-sponsored crew.
"Cloaked Ursa likely first collected and observed this legitimate advertising flyer via one of the email's recipients' mail servers being compromised, or by some other intelligence operation," the researchers said. "Upon seeing its value as a generic yet broadly appealing phishing lure, they repurposed it. This is staggering in scope for what generally are narrowly scoped and clandestine APT operations."