CyberWire Daily - Excel-lerating cyberattacks. [Research Saturday]
Episode Date: March 22, 2025This week, we are joined by Tom Hegel, Principal Threat Researcher from SentinelLabs research team, to discuss their work on "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opp...osition." The latest Ghostwriter campaign, linked to Belarusian government espionage, is actively targeting Ukrainian military and government entities as well as Belarusian opposition activists using weaponized Excel documents. SentinelLabs identified new malware variants and tactics, including obfuscated VBA macros that deploy malware via DLL files, with payload delivery seemingly controlled based on a target’s location and system profile. The campaign, which began preparation in mid-2024 and became active by late 2024, appears to be an evolution of previous Ghostwriter operations, combining disinformation with cyberattacks to further political and military objectives. The research can be found here: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. H hiring indeed is all you need.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down
the threats and vulnerabilities,
solving some of the hard problems
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Ghost Raider is an actor that we've been pretty closely tracking for some time.
They've been around for, it's been close to a decade at this point.
They really kind of popped up in around 2016.
But when the war in Ukraine kicked off more recently, that really kind of drew our attention
to Ghost Raider and the activity that they were doing within the region.
That's Tom Hagel, principal threat researcher from Sentinel Labs research team.
The research is titled Ghostwriter, New Campaign Targets Ukrainian Government and Belarusian
Opposition.
A lot of what that group has done over the years has stretched outward into regions that
we tend to have defensive postures in, in like Western countries and so forth.
So that is ultimately what attracts us to tracking this actor and trying to stay on
top of what they're doing, defend against them from a technical perspective, but also
from like an intelligence perspective as well.
So with that posture in mind,
we ultimately have a lot of monitoring in place
for anything that this actor's doing new
in regions that we typically don't see them in,
anything that could pop up as an interesting shift
in techniques or targets and so forth.
So got a lot of things in place to watch them.
And ultimately, this research was centered around a lot of interesting shifts in the
technicalities of how they're doing their attacks with the malicious documents, but
also more of the domestic targeting, which we don't see too often.
The domestic targeting in particular is what we see kind of focused on the Belarusian political opposition for the upcoming presidential election
in that area and so forth. So a lot of interesting things kind of going on at
this accurate is really what took our attention to kind of focus on them and
kind of find this research out. Before we dig into some of the technical details
here, as you point out, this campaign seems
to focus on Ukrainian government officials and the Belarusian opposition.
Why do we suppose that these groups are being targeted?
Yeah, a lot of this really comes back to looking at the history of this threat actor in general.
Our understanding is that this threat actor, and kudos to some amazing research done by
others in the industry like May and Dient and others, they've found a lot of interesting
things and published on it.
We were able to corroborate it in many places, but ultimately what we see is Ghostwriter
is an organization likely in operation within Belarus government with close collaborations
potentially with the Russian government and so forth.
So when you take that into account, we see a lot of the typical anti-NATO targeting.
Anything with Ukraine right now is obviously a very hot topic, but ultimately, whatever
borders Belarus tends to be the area
of focus for them.
Now the activity of going against Ukrainian organizations, gov, military, like we saw
in our research here, that's ultimately not too unexpected for this group.
That's kind of the MO for them, Going after something that would be such a high priority
to them, getting intelligence on the Ukrainian operations
and so forth is very key.
But then you see almost like this secondary cluster
of activity within Ghostwriter
that is doing the domestic stuff.
So we see the domestic stuff is ultimately trying
to push out propaganda, trying to blend with
like information ops, combined with like these targeted malware operations against individuals
and organizations that might be seen as negative to domestic disputes within Belarus in particular.
So we're ultimately seeing like a state of Ghost Rider that is targeting anything that
is anti-Belarus in its current form, if that makes sense.
Yeah.
And now does that differ from previous Ghost Rider operations?
I mean, particularly that focus on the domestic?
It doesn't.
They have had some activities of going to domestic targeting in the past,
but it hasn't been so obvious. Previously, there's been a lot of efforts by Ghostwriter
and others in the previous presidential election out there to ultimately silence media, journalists,
and so forth. In this recent activity, it was more so going after like human rights activists, direct
political opposition and so forth.
And that was a little bit more direct in terms of kind of what they're aiming to do.
But the ultimate like target sets really aren't outside the bounds of what's normal.
What this does show is the first identification of the domestic targeting
in quite some time that we've seen from outside as outsiders in Western nations right now.
So that is a bit more noteworthy than this targeting itself because they kind of are
all over the place and we've seen them pop up in South America. You know, the Western
countries a little bit here and there, but domestic
stuff, InformationOps is kind of like the go-to strategic targeting with malware infections
like this domestically.
It speaks to kind of the political affairs kind of going on there domestically right
now.
Yeah.
Well, let's dig into some of the technical details here.
I mean, how do they go about doing the things that they do?
Yeah, absolutely.
So historically the group has leaned into
like traditional credential phishing
where they give you a link and you go and type your password
and they steal your account and then go
and pilfer everything out of the account,
email, social medias, and so forth.
Typical like spyware espionage kind of,
depending on who the targeting is.
More recently, and what we reported on here, is strategic malware attacks.
And the way that they're doing this is rather than trying to steal legitimate credentials
and do kind of like a smash and grab of stealing whatever they can get their hands on, they're
trying to get maintained access, in this case, to strategic target devices.
So what we reported on ultimately centers around a delivery of a malicious document.
In our case, we see Google Drive being the main way of them hosting the malicious documents.
So they ultimately email a link to the malicious document saying basically creating the standard
phishing lure.
In this case, what we have are lures specific to domestic targets, lures that are very specific
to that individual and what that person studies, if it's like the presidential election or
political opposition research, things like that.
Or if it's on the Ukraine side, it's anti-corruption initiatives in Ukraine or military equipment deliveries,
things like that.
And then that lure is very specific to their targets.
And then they go and download this file.
In this case, what we mostly see are Excel spreadsheets.
And that Excel spreadsheet ultimately contains pretty heavily obfuscated and hidden VBA macro code.
And that macro code is kind of like the gateway into the target device.
There's a lot of different variations. We reported on a couple of differences in all of them based
on like who the target is and the timing of specifically when it went down, which ultimately
speaks to kind of seeing the actor shift over time. But what we're seeing are these VBA macros lean into essentially writing a DLL file to the temp directory of the target device in the background as they're reading this file.
This DLL is ultimately loaded. We go through what we call a couple different stages.
So stage one would be the Excel spreadsheet. Stage two would be this DLL file.
And this DLL file gains persistence on the machine.
It's installed in a persistent way.
So anytime the machine starts, this DLL file will attempt to start as well.
And what this DLL file is comes down to being essentially a downloader.
We call it Picasso Loader.
It's kind of the industry standard name or Picasso Downloader. And it
essentially allows a third layer tooling to be loaded at the attacker's discretion.
But it's all gained persistently at that point. So that's how they kind of get it.
We'll be right back.
We'll be right back. Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes that for good.
Get one investigation platform, one bill to pay, and all the data you need in one place. It comes with
curated data and a full suite of tools to handle any digital investigation.
Connect the dots so fast cyber criminals won't even have time to Google what Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code n2k at checkout. What would you rate the level of sophistication here in terms of being stealthy?
You know, the stealth isn't so great.
The sophistication isn't high, but what you're seeing is like the persistence and just like
the workability of this whole thing.
It's just smooth.
It kind of works.
And unfortunately, in many of these cases, the targets that they're going after aren't
often the most secure.
So they might be unpatched to a vulnerability or they might not be running some sort of
protection that would stop something like this.
So that level of sophistication is not quite there.
But what we do see, I would say like what is sophisticated
about it is more of like the fine-tuned crafts to exactly what they're doing. So for example,
the way that the VBA ultimately turns into running malware is it goes through a process of
essentially rewriting itself in memory and turned itself from the DLL into
essentially the malware that runs, the.NET code of the actual malware.
It goes through a couple stages of like, obfuscation, using freely available tools out there to
conceal itself from antivirus or EDR tools or even like an analysis of just looking at
the file itself. So those little details at like the final stage
is what makes it so seamlessly,
or what makes it so successful to install
in many of these cases we've seen.
So like overall, I wouldn't say like the actors
being incredibly sophisticated,
what they are being is persistent and creative,
but when it matters, like little things
just to kind of get past
the little hiccups of like endpoint production
or somebody not seeing this file
or somebody having a clue that this file might be malicious,
that's where they put a little bit of effort
into it as well.
And that really can also be kind of highlighted
by the fact that after all this happens,
a lure document, a fake lure document is opened
to show them
what they think they should be seeing anyway.
So all this is happening in the background,
they're actually given a document of what they believe
to be what they were sending and opening.
So they might not question this whole process
they just experienced.
Yeah, that's really interesting.
I mean, it seems like, I don't know,
perhaps their capabilities exceed what they're showing
in this campaign.
Is that a fair way to say it?
Yeah, you know, that's a good way to put it.
Another way to even think about it would be the multi-approach that they've always taken
over the years.
This is just a targeted phishing lure that's delivered malware, and it may lead to other
malware down the road or strategic data exfil depending on
the victim or whatever.
But the fact that this group also has done pretty well in like domestic information ops
and propaganda spreading into mainstream media in the region and even things like the credential
phishing I've talked about.
The combination of skill sets there are pretty diverse
and it speaks to me of like an organization
that gets a lot of backing and resources
from the more capable organizations,
perhaps in Russia or elsewhere,
but they're getting the financial backing
and they're getting the support to be able to experiment
to kind of do what needs to get done.
So pretty interesting group to follow.
What ultimately does it seem like they're after here?
I mean, is that as customized
as the way they come at people?
Yeah, it definitely is a unique target objective for sure.
So in the Ukraine government, military organizations,
a lot of that may be to just get access and
figure out what we can steal for espionage or military intelligence benefits to support
Russia in the war.
Perhaps it would be to maintain access to give access to a more sophisticated actor
that could do some sort of disruptive efforts or anything like that.
That's pretty standard for a wartime intrusion effort.
But then you go to like the domestic side
and those cases might just be to see,
examining what political opposition is about to report on
or the things they're reporting,
the sources of their news, sources of leaks,
or maybe even just to like stop that person from reporting,
find out where they are, find out who they are in some cases, shut them down,
disrupt them. So it's, a lot of it is like this group can almost be looked at as
like the, the, the team that kind of gets in, smashes the door to figure out what
we should do next in many cases. Obviously the information upside is a little
different, but again, it speaks to the complexity
of this actor for sure.
Do you have any sense for what their impact has been so far, how successful they may or
may not have been?
It's really hard to gauge.
The domestic stuff in Belarus is, it's almost impossible to gauge from an outsider's perspective
in my case.
Being that this may have been targeted or tied deeply into the presidential election,
that appears to have gone down uninterrupted from any opposition perspective.
So I'm not sure if it really did anything in the end.
The Ukraine side, it appears ultimately unsuccessful.
It's just another one of the targeted intrusions that
ultimately are supporting the war that we're seeing
constantly now and we have been seeing constantly for
years. So I don't think any of that is leading to like
a strong indicator of major success from this actor
over time. However, the information ops side of
this, I think is their most noteworthy level of
success because the narratives that
they are crafting and spreading have done quite well, making it to mainstream media
locally within the region and Western nations over time as well.
And then obviously those narratives are used by the supporting governments as well to further
their initiatives.
So that's very difficult to measure for sure.
But it's one of those type of groups that there's not like a massive hit and win of
success.
And again, a lot of what they're doing might just be getting initial access and then passing
it to a group that does something that's really noticeable.
And that group gets the reputation for doing it while the initial access has actually somebody more on the Ghost Raider level.
Yeah.
Well, let's say I'm an organization or even a government in one of these high risk regions.
What are your recommendations for me to best protect myself against this group?
Yeah.
You know, a lot of the initial access methods center around email delivery.
So if I was defending against this actor, I would be looking to email as a very strict
method of the actor interacting with potential targets.
So you know, advanced filtering capabilities, getting rid of any emails that link to Google
Drive, especially if it contains a password that something can't scan.
And then looking at things that are being downloaded, obviously, from the agent perspective,
I think tracking and monitoring that from a network level when possible is great.
But if you're doing something like downloading from Google Drive, it's more difficult to
inspect that traffic.
But when files are on the machine, there just needs to be strict controls in terms of what can and can't run on machines.
For example, a way that some organizations that are targeted by this group succeed in many cases are by, if there's a file that's downloaded,
if that file was downloaded, never seen in the network before, comes from an email address they've never seen before in their system,
and it wants to run anything more than just look at text or
anything like that it's completely blocked so everybody gets instead of an
Excel spreadsheet they get an ugly code of text it keeps them tremendously safe
and it's worked to stop a lot of evil but it's a rough user experience so
somewhere in the middle there's a balance I'm sure.. Well, you mentioned Excel spreadsheets and macros.
I mean, does something as simple as disabling macros get us anywhere?
It definitely does.
But this is the type of group that will adapt no matter what.
Macros, getting rid of macros definitely helps.
But then it'll be, you know, in the doc doc it'll say, hey, here's a link to
something else to go and download.
Then it'll just download the malware straight from that link itself to avoid email detection.
So there's always hoops to hop through, but any of the multi-layered approaches, the way
to go is try and stop them through any means, but also be able to detect and respond to
this because again, these groups are not the most sophisticated,
but knowing that they had an intrusion in your network and what they got and how you
can get them to go away is key.
So retaining the data, retaining the abilities to do the forensics when they do get in is
important.
Yeah, it really speaks to that level of persistence that you measured that they're going to keep
at it.
Yeah, exactly.
And a lot of these targets in these cases are,
the political opposition side and human rights activists,
these are individuals.
They don't often have access to the high end
endpoint detection or network filtering
or email filtering capabilities.
So they're very reliant on Google spam filter
or their standard antivirus and things like
that.
So I think a lot of those folks just need to be really, really careful if you're using
Apple devices.
Apple lockdown mode, I highly recommend and whatever the Android equivalent of that is,
I'm not sure of.
Those work tremendously.
So individuals have to take a little bit different approach, but it still can be done.
For our listeners, what do you hope that they take away from checking out this research?
Yeah, I think a lot of it comes down to the willingness of diving into research that might
not or threat actors that might not be super interesting.
It can always lead to interesting stories.
In this case, we just see malicious documents and they've been reported on a million times
in our industry
by threat actors using them.
But if you follow the chains in today's world,
it can often lead to interesting stories
and even the most sophisticated actors out there
are still using what works.
And in many cases, that is just a simple malicious document.
So don't take the simplicity
of the initial access method for granted.
It's always still worth trying to research and dive into these actors and take them all seriously
until you really know the true intention.
Our thanks to Tom Hagel from Sentinel Labs for joining us.
The research is titled Ghostwriter, New Campaign Targets Ukrainian Government and Belarusian
Opposition.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben,
Peter Kilpe as our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.