Ghostwriter (Storm-0257) – Threat Actor

Overview

The current regime under Belarusian president Aleksandr Lukashenko maintains close relations with Vladimir Putin and his administration, allegedly allowing Belarusian state assets to be deployed via their Ministry of Defense. This group’s objective is to conduct disinformation campaigns aimed at undermining NATO’s credibility, primarily targeting Russian, Ukrainian, and Polish speakers across various European countries since 2017. Using spear-phishing tactics, Ghostwriter targeted members of Ukraine’s armed forces, compromising their accounts to reach out to their contacts and facilitate more destructive attacks. These efforts are conducted to further Russian state interests and support the actions of associated advanced persistent threat (APT) groups.

Common targets

Primarily targets government and media entities focusing on Ukraine, Lithuania, Latvia, Poland, and Germany and promotes narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe. UNC1151 has been active in targeting primarily Ukraine and Poland since the Russian invasion of Ukraine in February.

How they operate

Previous Campaign (2023) Last year, a series of cyber campaigns targeted Ukrainian and Polish government, military, and civilian users using malicious Excel and PowerPoint files. These files, designed to look like official documents, tricked users into enabling macros that execute malicious VBA code. The campaigns evolved by using obfuscated code to drop and execute DLLs or downloaders, with later stages hidden in appended encrypted blobs in “.jpg” image files. The final payloads included njRAT, AgentTesla, and Cobalt Strike, aimed at information theft and remote control. Latest Campaign (2024) Campaign 1 The initial campaign observed in April 2024 targets the Ukrainian Military (the Ministry of Defence Ukraine, military base A0000), employing a combination of drone image files and a malicious Microsoft Excel spreadsheet, as shown below. The strategy involved using socially engineered Excel lures sent via spam email to convince targeted users to enable macros, thereby triggering the execution chain. Upon double-clicking to open the .xls file, a button labeled ‘Enable Content’ is displayed, as depicted below. Clicking this button initiates the execution of the embedded VBA Macro within the document. Upon execution of the VBA Macro, it drops a shortcut file named “CybereasonActiveProbe.lnk” in the “AppData\Roaming\Microsoft\Windows\Start Menu\” folder and a malicious DLL file named “F072d76c85A40hjf9a3c0ab.dll” in the “\AppData\Roaming\Signal\bin\bin\” folder. Subsequently, it proceeds to execute the LNK shortcut file using Rundll32.exe. When the LNK file is executed, it initiates the execution of the malicious DLL file with the parameter “SrvLicInitialize” using Rundll32.exe, as depicted in the figure below. The image below illustrates the process tree of the malware infection, starting with the opening of the Excel spreadsheet and ending with the execution of the DLL file. Campaign 2 In the next campaign, when the Excel spreadsheet is opened, a button labeled ‘Enable Content’ is displayed. Clicking this button executes the embedded VBA Macro within the document. The Excel worksheet is designed to entice users to enable macros featuring specific content in the Ukrainian language, as shown below. Upon execution of the LNK file, it initiates the execution of the malicious DLL file without any parameters using Regsvr32.exe, as illustrated in the figure below. DLL Loader (Ac83faafb23919Ae9.DLl) The DLL loader is an obfuscated .NET file. Once executed, the malicious DLL loader carries out various malicious actions on the victim’s system. These actions include: Initially, the DLL verifies specific processes such as processhacker, avastui, aswtoolssvc, procexp, wsc_proxy, overseer, and avastsvc. If any of these processes are detected, it terminates itself. This action is likely intended to evade detection and bypass security measures. Then, the DLL modifies the system’s security protocol settings to evade detection or carry out malicious activities. Additionally, it attempts to conceal its presence, thereby making it more challenging for security analysts or automated detection systems to identify and mitigate the threat. Next, the malware loads the System.Net assembly and configures a WebClient to download data from a specified URL (hxxps://goudieelectric[.]shop/cms/svg/6364.2809640e.chunk.svg). It sets a custom User-Agent header mimicking a mobile browser and prepares the WebClient to download data using the DownloadData method, as shown in the figure below. Based on the code, it is possible that the downloaded file is yet another DLL, which is encrypted content encoded in Base64 format. However, during execution, we were not able to get the encrypted content. Upon successful retrieval of the content, the DLL decodes the Base64 data and then decrypts it using XOR decryption. The resulting DLL binary is saved in the Temp folder with a random name. Subsequently, the new DLL is executed via Rundll32.exe, using the parameter “SrvLicInitialize,” as shown below. After executing the new DLL, the malware sleeps for a period of time and then proceeds to delete the DLL. The primary difference between both files of the latest campaign observed in 2024 lies in their execution and encryption methods: The “Ac83faafb23919Ae9.DLl” file is executed using Regsvr32.exe by the LNK shortcut file without any parameters. It relies on plain strings within the file for its malicious operations. This DLL employs an XOR operation to decrypt the downloaded payload. In contrast, the “F072d76c85A40hjf9a3c0ab.dll” file is executed using Rundll32.exe by the LNK shortcut file with the parameter “SrvLicInitialize.” It utilizes encoded/encrypted strings throughout the file, decoding/decrypting them during execution. This DLL employs the RC4 algorithm for decrypting the downloaded payload. This payload is an encrypted DLL that is decrypted and saved into the %temp% directory. Then, the DLL is executed using an export function parameter “SrvLicInitialize,” possibly leading to the final malware infection. Due to the unavailability of the encrypted files, we are unable to determine how the DLL files are used to deliver the final payload. As per previous instances of the UNC1151 campaign, possibly the final payload, which included AgentTesla and Cobalt Strike, was used for information stealing and remote access to infected systems. TTP Shifts The key variance between last year’s and this year’s campaigns lies in how the final payload is deployed. In 2024’s campaign, both malware loader files share the similarity of downloading an encrypted payload from a malicious URL that utilizes a “.svg” extension. The code responsible for downloading the subsequent stage is continuously evolving. In earlier iterations, the invocation of the Assembly.Load function was relatively straightforward to identify. However, in the next campaigns, TA has opted to introduce a layer of obfuscation, employing the RuntimeBinder.Binder functionality to locate and execute functions for downloading, decrypting, and loading. In the latest campaign, the decrypted payload is a DLL file. This DLL is dropped into the %temp% folder and launched using Rundll32.exe with the parameter “SrvLicInitialize,” as shown below.

MITRE Techniques Used

T1012: Query Registry T1016: System Network Configuration Discovery T1027: Obfuscated Files or Information T1033: System Owner/User Discovery T1055: Process Injection T1059: Command and Scripting Interpreter T1070.006: Timestomp T1071.001: Web Protocols T1082: System Information Discovery T1083: File and Directory Discovery T1087: Account Discovery T1095: Non-Application Layer Protocol T1140: Deobfuscate/Decode Files or Information T1547.009: Shortcut Modification T1573.002: Asymmetric Cryptography T1620: Reflective Code Loading T1622: Debugger Evasion

Significant Attacks

• UNC1151 is a group that Mandiant assesses are sponsored by Belarus and have frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.” (July 2022)
• Mandiant Threat Intelligence has uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO. (June 2024)
• Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. (July 2023)

References:

• Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
• UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence
• Malicious campaigns target government, military and civilian entities in Ukraine, Poland
• UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
• Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
• Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests
• Cyber National Mission Force discloses IOCs from Ukrainian networks