PicassoLoader Malware Utilized in Ongoing Assaults on Ukraine and Poland

Jul 13, 2023THNCyber Assault

Authorities entities, army organizations, and civilian customers in Ukraine and Poland have been focused as a part of a collection of campaigns designed to steal delicate knowledge and acquire persistent distant entry to the contaminated methods.

The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy paperwork to deploy a downloader malware known as PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT.

“The assaults used a multistage an infection chain initiated with malicious Microsoft Workplace paperwork, mostly utilizing Microsoft Excel and PowerPoint file codecs,” Cisco Talos researcher Vanja Svajcer said in a brand new report. “This was adopted by an executable downloader and payload hid in a picture file, prone to make its detection harder.”

Some of the activities have been attributed to a menace actor known as GhostWriter (aka UAC-0057 or UNC1151), whose priorities are stated to align with the Belarusian authorities.

It is price noting {that a} subset of those assaults has already been documented over the previous yr by Ukraine’s Pc Emergency Response Workforce (CERT-UA) and Fortinet FortiGuard Labs, one among which employed macro-laden PowerPoint paperwork to ship Agent Tesla malware in July 2022.

The an infection chains purpose to persuade victims to allow macros, with the VBA macro engineered to drop a DLL downloader often known as PicassoLoader that subsequently reaches out to an attacker-controlled web site to fetch the next-stage payload, a reputable picture file that embeds the ultimate malware.

The disclosure comes as CERT-UA detailed a number of phishing operations distributing the SmokeLoader malware in addition to a smishing attack designed to achieve unauthorized management of targets’ Telegram accounts.

Final month, CERT-UA disclosed a cyber espionage campaign geared toward state organizations and media representatives in Ukraine that makes use of electronic mail and on the spot messengers to distribute information, which, when launched, ends in the execution of a PowerShell script known as LONEPAGE to fetch next-stage browser stealer (THUMBCHOP) and keylogger (CLOGFLAG) payloads.

GhostWriter is one among the many many menace actors which have set their sights on Ukraine. This additionally contains the Russian nation-state group APT28, which has been observed utilizing HTML attachments in phishing emails that immediate recipients to vary their UKR.NET and Yahoo! passwords because of suspicious exercise detected of their accounts in order to redirect them to bogus touchdown pages that finally steal their credentials.

The event additionally follows the adoption of a “normal five-phase playbook” by hackers related to the Russian army intelligence (GRU) of their disruptive operations in opposition to Ukraine in a “deliberate effort to extend the velocity, scale, and depth” of their assaults.

This contains benefiting from living-on-the-edge infrastructure to achieve preliminary entry, utilizing living-off-the-land methods to conduct reconnaissance, lateral motion and knowledge theft to restrict their malware footprint and evade detection, creating persistent, privileged entry by way of group coverage objects (GPO), deploying wipers, and telegraphing their acts by way of hacktivist personas on Telegram.

“The advantages the playbook affords are notably suited to a fast-paced and extremely contested working atmosphere, indicating that Russia’s wartime targets have doubtless guided the GRU’s chosen tactical programs of motion,” Google-owned Mandiant said.