PicassoLoader Malware Used in Ongoing Attacks in Ukraine and Poland
Government entities, military organizations and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to infected systems.
The intrusion series, which lasted from April 2022 to July 2023, took advantage of phishing baits and decoy documents to spread downloader malware called PicassoLoader, which acted as a conduit for launching Cobalt Strike Beacons and njRAT.
“The attacks use multilevel infection chains that start with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats,” Cisco Talos researcher Vanja Svajcer said in a new report. “This is followed by a downloader executable and a payload hidden in the image file, likely making its detection more difficult.”
A number of from activity has been linked to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the Belarusian government.
It should be noted that a subset of these attacks have been documented over the past year by the Ukraine Computer Emergency Response Team (CERT-UA) and Fortinet FortiGuard Labs, one of which used a macro-loaded PowerPoint document to deliver Agent Tesla malware in July 2022.
The infection chain aims to convince the victim to activate the macro, with the VBA macro engineered to release a DLL downloader known as PicassoLoader which then reaches an attacker-controlled site to take the next stage’s payload, the legitimate image file that embeds the final malware.
The disclosure comes when CERT-UA details a number from deception operation distributes the SmokeLoader malware as well as a smash attack designed to gain unauthorized control over a target’s Telegram account.
Last month, CERT-UA revealed a cyber espionage campaign is intended for state organizations and media representatives in Ukraine who use email and instant messaging to distribute files, which, when launched, results in the execution of a PowerShell script called LONEPAGE to retrieve next-stage browser stealer (THUMBCHOP) and keylogger (CLOGFLAG ) payloads.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
GhostWriter is one of many threat actors targeting Ukraine. It also includes the Russian nation-state group APT28, which has observed using HTML attachments in phishing emails asking recipients to change UKR.NET and Yahoo! password due to suspicious activity detected on their account leading them to a fake landing page which ultimately steals their credentials.
The development also follows the adoption of a “standard five-phase playbook” by hackers associated with Russian military intelligence (GRU) in their disruptive operations against Ukraine in a “deliberate attempt to increase the speed, scale and intensity” of their attacks. .
This consists of leveraging living-on-the-edge infrastructure to gain early access, using living-off-the-land techniques to perform reconnaissance, lateral movement, and information theft to limit their malware footprint and evade detection, creating persistent privileged access. . via group policy objects (GPOs), deploy wipers, and telegraph their actions via the hacker persona on Telegram.
“The benefits this playbook provides are well-suited to a fast-paced and highly contested operating environment, demonstrating that Russia’s wartime objectives may have guided the GRU’s chosen tactical actions,” Google’s Mandiant said. said.
