A new plan uses malware-laced Microsoft Excel documents as pretext to sell a new version of to opposition activists in Belarus as well as Russian military and government officials.
The threat cluster has been assessed to be an extension of a long-running campaign mounted by a Belarus-aligned threat actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151 ) since 2016. It is to support narratives critical of NATO and coincide with Russian safety objectives.
In a complex statement shared with The Hacker News, SentinelOne scientist Tom Hegel stated that the strategy has been in preparation since July-August 2024 and that it has reached its effective phase in November-December 2024. According to recent malware samples and C2 infrastructure activity, the operation has continued to be effective in recent days.
A Google Drive shared report that was created by a user named Vladimir Nikiforech and contained a Zip archive serves as the cybersecurity company’s analysis of the assault chain.
When a malicious Excel workbook is opened in the RAT file, it prompts the execution of an opaque macro when potential victims help macros to be run. The mega then moves on to create a DLL file, which inevitably opens the door for a reduced version of .
In the next step, a fake Excel file is displayed to the sufferer, while, in the background, more payloads are saved onto the system. This strategy was employed to provide the Cobalt Strike post-exploitation platform as late as June 2024.
SentinelOne reported finding additional weaponized Excel documents that bore Ukrainian-themed libel to retrieve an unknown second-stage malware from a remote URL ( “sciencealert [ .]]. ]] ). shop” ) in the form of a seemingly harmless JPG image, a technique known as watermark. The URLs are no longer available.
In another instance, the booby-trapped Excel document is used to provide a DLL named LibCMD, which is designed to work cmd. file and link to stdin/stdout. It’s straight loaded into memory as a.NET assembly and executed.
” Throughout 2024, Ghostwriter has frequently used a combination of Excel worksheets containing Macropack-obfuscated VBA scripts and dropped embedded.NET downloaders obfuscated with “, Hegel said.
Belarus’s military personnel don’t actively participate in Russian war, but it’s apparent that its cyber threat actors don’t have any reservations about conducting cyber espionage operations against Russian targets.