Excel-lerating cyberattacks. [Research Saturday]

Dave Bitner

You're listening to the Cyberwire Network powered by N2K.

Tom Hagel

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Dave Bitner

Ghostwriter is an actor that we've been pretty closely tracking for some time. You know, they've been around for it's been close to a decade at this point. They really kind of popped up in around 2016, but when the war in Ukraine kicked off more recently, that really kind of drew our attention to Ghost Rider and the activity that they were doing within the region.

Tom Hagel

That's Tom Hagel, principal threat researcher from Sentinel Lab's research team. The research is titled Ghost New Campaign targets Ukrainian Government and Belarusian Opposition.

Dave Bitner

A lot of what that group has done over the years has stretched outward into regions that we tend to have defensive postures in, in like Western countries and so forth. So that is ultimately what attracts us to tracking this actor and trying to stay on top of what they're doing, defend against them from a technical perspective, but also from like an intelligence perspective as well. So with that posture in mind, we ultimately have a lot of monitoring in place for anything that this actor is doing new in regions that we typically don't see them in. Anything that could pop up as an interesting shift in techniques or targets and so forth. So got a lot of things in place to watch them. And ultimately this research was centered around a lot of interesting shifts in the technicalities of how they're doing their attacks with the malicious documents, but also more of the domestic targeting which we don't see too often. The domestic targeting in particular is what we see kind of focused on the Belarusian political opposition for the upcoming presidential election in that area and so forth. So a lot of interesting things kind of going on at this Acura is really what took our attention to kind of focus on them and kind of find this research out before we dig.

Unknown

Into some of the technical details here. As you point out, this campaign seems to focus on Ukrainian government officials and the Belarusian opposition. Why do we suppose that these groups are being targeted?

Dave Bitner

Yeah, a lot of this really comes back to looking at the history of this threat actor in general. You know, our understanding is that this threat actor and kudos to some amazing research done by others in the industry like Mandiant and others. They, they've found a lot of interesting things that published on it. We were able to kind of corroborate it in many places. But ultimately what we see is Ghost Rider is a organization likely in operation within Belarus government with close collaborations potentially with the Russian government and so forth. So when you take that into account, we see a lot of the typical anti NATO targeting. Anything with Ukraine right now is obviously a very hot topic. But ultimately whatever borders Belarus is is tends to be the area of focus for them. Now the activity of going against Russian or sorry, Ukrainian organizations, gov, military, like we saw in our research here, that's ultimately like not too unexpected for this group. That's kind of the MO for them going after something that would be such a high priority to them. Getting intelligence on the Ukrainian operations and so forth is. Is very key. But then you see almost like this secondary cluster of activity within Ghostwriter that is doing the domestic stuff. So we see the domestic stuff is ultimately trying to push out propaganda, trying to blend with information ops combined with these targeted malware operations against individuals and organizations that might be seen as negative to domestic disputes within Belarus in particular. So we're ultimately seeing like a. A state of Ghostwriter that is targeting anything that is anti Belarus in its current form, if that makes sense.

Tom Hagel

Yeah.

Unknown

And now does that differ from previous Ghost Rider operations. I mean, particularly that, that focus on the domestic.

Dave Bitner

It doesn't. They have had some activities of going to domestic targeting in the past, but it hasn't been so, you know, previously there's been a lot of efforts by Ghostwriter and others in the previous presidential election out there to ultimately silence media, journalists and so forth. In this recent activity, it was more so going after like human rights activists, political, direct political opposition and so forth. And that was a little bit more direct in terms of kind of what they're aiming to do. But the ultimate like target sets really aren't outside the bounds of what's normal. What this does show is the first identification of the domestic targeting in quite some time that we've seen from outside as outsiders in Western nations right now. So that is a bit more noteworthy than this targeting itself because they kind of are all over the place and we've seen them pop up in South America, you know, the western countries a little bit here and there. But domestic stuff. Information Ops is kind of like the go to strategic targeting with malware infections like this domestically. It speaks to kind of the, the political affairs kind of going on there domestically right now.

Unknown

Yeah, well, let's dig into some of the technical details here. I mean, how do they go about doing the things that they do?

Dave Bitner

Yeah, absolutely. So historically the group has leaned into like traditional credential phishing where they give you a link and you go and type your password and they steal your account and then go and pilfer everything out of the account. Email, social media and so forth. Typical like spyware, espionage, kind of depending on who the targeting is. More recently in what we reported on here is strategic malware attacks. And the way that they're doing this is rather than trying to steal legitimate credentials and do kind of like a smash and grab of stealing whatever they can get their hands on, they're trying to get maintained access in this case to strategic target devices. So what we reported on ultimately centers around a delivery of a malicious document. In our case, we see Google Drive being the main way of them hosting the malicious documents. So they ultimately email a link to the malicious document saying basically creating the standard phishing lure. In this case, what we have are lures specific to domestic for like the domestic targets, lures that are very specific to that individual and what that person studies. If it's like the presidential election or political opposition research, things like that. Or if it's on the Ukraine side, it's, you know, anti corruption initiatives in Ukraine or military equipment deliveries Things like that. And then that that lure is very specific to their targets. And then they go and download this, this file. In this case, what we mostly see are Excel spreadsheets. And that Excel spreadsheet ultimately contains pretty heavily obfuscated and hidden VBA macro code. And that macro code is kind of like the gateway into the target device. There's a lot of different variations. We reported on a couple of differences in all of them based on who the target is and the timing of specifically when it went down, which ultimately speaks to kind of seeing the actor shift over time. But what we're seeing are these VBA macros lean into essentially writing a DLL file to the temp directory of the target device in the background. As they're reading this file, this DLL is ultimately loaded. We go through what we call a couple different stages. So stage one would be the Excel spreadsheet. Stage two would be this DLL file. And this DLL file gains persistence on the machine. It's installed in a persistent way. So anytime the machine starts, this DLL file will attempt to start as well. And what this DLL file is comes down to being essentially a downloader. We call it Picaso Loader. It's kind of the industry standard name or Picasso downloader. And it essentially allows a third tool, third layer tooling to be loaded at the attacker's discretion. But it's all gained persistently at that point. So that's how they kind of get it.

Tom Hagel

We'll be right back. Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing. For individuals, SMBs, and enterprises, they deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.

Dave Bitner

Foreign.

Tom Hagel

Threats are evolving every second. And staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.

Unknown

What would you rate the level of sophistication here in terms of being stealthy?

Dave Bitner

You know, the, the stealth isn't so great, the sophistication isn't high. But what you're seeing is like the persistence and just like the workability of this whole thing. It's just smooth, it kind of works. And unfortunately in many of these cases, the targets that they're, they're going after aren't the often the most secure. So they might be unpatched to a vulnerability or they might not be running some sort of protection that would stop something like this. So that level of sophistication is not quite there. But what we do see, I would say what is sophisticated about it is more of the fine tuned crafts to exactly what they're doing. So for example, the way that the VBA ultimately turns into running malware is it goes through a process of essentially rewriting itself in memory and turns itself from the DLL into essentially the malware that runs the. Net code of the actual malware. And it goes through a couple stages of obfuscation using freely available tools out there to conceal itself from antivirus or EDR tools, or even an analysis of just looking at the file itself. So those little details at the final stage is what makes it so seamlessly or what makes it so successful to install in many of these cases we've seen. So like overall, I wouldn't say like the actor is being incredibly sophisticated. What they are being is persistent and creative. But when it matters like little things just to kind of get past the little hiccups of like endpoint protection or somebody not seeing this file, or somebody having a clue that this file might be malicious, that's where they put a little bit of effort in, into it as well. And that really can also be kind of highlighted by the fact that after all this happens, the lure document, a fake lure document is opened to show them what they think they should be seeing anyway. So all this is happening in the background. They're actually given a document of what they believe to be what they were sending and opening. So they might not question this whole process they just experienced.

Unknown

Yeah, that's really interesting. I mean it seems like, I don't know, perhaps their capabilities exceed what they're showing in this campaign. Is that a fair way to say it?

Dave Bitner

Yeah, you know, that's a good way to put it. Another way to even think about it would be the multi approach that They've always taken over the years. Like, this is just a targeted phishing lure that's delivered malware, and it may lead to other malware down the road or strategic data X fill, depending on the victim or whatever. But the fact that this group also has done pretty well in domestic information ops and propaganda spreading into mainstream media in the region, and even things like the credential phishing I talked about, the. The combination of skill sets there are pretty diverse, and it speaks to me of, like, an organization that gets a lot of backing and resources from the more capable organizations, perhaps in Russia or elsewhere, but they're getting the financial backing and they're getting the support to be able to experiment, to kind of do what needs to get done. So pretty interesting group to follow.

Unknown

What ultimately does it seem like they're after here? I mean, does it.

Tom Hagel

Is.

Unknown

Is that as customized as the way they come at people?

Dave Bitner

Yeah, it definitely is a unique target objective, for sure. So in the Ukraine, government, military organizations, a lot of that may be to just get access and figure out what we can steal for espionage or military intelligence benefits to support Russia in the war. Perhaps it would be to maintain access, give access to a more sophisticated actor that could do some sort of disruptive efforts or anything like that. That's pretty standard for like a wartime info or wartime intrusion effort. But then you go to like, the domestic side, and those cases might just be to see examining what political opposition is about to report on or the things they're reporting, the sources of their news, sources of leaks, or maybe even just to like, stop that person from reporting, find out where they are, find out who they are, in some cases, shut them down, disrupt them. So it's. A lot of it is like, this group can almost be looked at as like the team that kind of gets in, smashes the door to figure out what we should do next. In many cases, obviously the information upside is a little different, but again, speaks to the complexity of this actor, for sure.

Unknown

Do you have any sense for what their impact has been so far, how successful they may or may not have been?

Dave Bitner

It's. It's really hard to gauge. The domestic stuff in Belarus is. It's almost impossible to gauge from an outsider's perspective. In my case, you know, being that this may have been targeted or tied deeply into like the presidential election, that appears to have gone down uninterrupted from any opposition perspective. So I'm not sure if it really did anything in the end. The Ukraine side, it appears ultimately unsuccessful. It's just another One of the targeted intrusions that ultimately are supporting the war that we're seeing constantly now, and we have been seeing constantly for years. So I don't think any of that is leading to like a strong indicator of major success from this actor over time. However, the information ops side of this, I think is their most noteworthy level of success because the narratives that they are crafting and spreading have done quite well, making it to mainstream media locally within the region and western nations over time as well. And then obviously those narratives are used by the supporting governments as well to further their initiatives. So that's very difficult to measure for sure, but it's one of those type of groups that there's not like a massive hit and win of success. And again, a lot of what they're doing might just be getting initial access and then passing it to a group that does something that's really noticeable and that group gets the reputation for doing it. While the initial access was actually somebody more on the Ghost Raider level.

Unknown

Yeah, well, let's say I'm an organization or even a government in one of these high risk regions. What are your recommendations for me to best protect myself against this group?

Dave Bitner

Yeah, you know, a lot of the initial access methods center around email delivery. So if I was defending against this actor, I would be looking to email as a very strict method of the actor interacting with potential targets. So, you know, advanced filtering capabilities, getting rid of any emails that link to Google Drive, especially if it contains a password that something can't scan, and then looking at things that are being downloaded, obviously from the agent perspective, I think tracking and monitoring that from a network level when possible is great. But if you're doing something like downloading from Google Drive, it's more difficult to inspect that traffic. But when the files are on the machine, there just needs to be strict controls in terms of what can and can't run on machines. For example, a way that some organizations that are targeted by this group succeed in many cases are by if there's a file that's downloaded, if that file was downloaded, never seen in the network before, comes from an email address they've never seen before in their system. And it wants to run anything more than just look at text or anything like that, it's completely blocked. So everybody gets, instead of an Excel spreadsheet, they get an ugly code of text. It keeps them tremendously safe and it's worked to stop a lot of evil. But it's a rough user experience. So somewhere in the middle there's a balance. I'm sure.

Unknown

Right. Well, you mentioned Excel spreadsheets and macros. I mean, does something as simple as disabling macros get us anywhere?

Dave Bitner

It definitely does, but this is the type of group that will adapt no matter what macros. Getting rid of macros definitely helps, but then it'll be, you know, in the, in the doc it'll say, hey, here's a link to something else to go and download. Then it'll just download the malware straight from that link itself to avoid email detection. So there's always hoops to hop through, but any of the multi layered approach is the way to go. Try and stop them through any means, but also be able to detect and respond to this because again, these groups are not the most sophisticated. But knowing that they had an intrusion in your network and what they got and how you can get them to go away is key. So retaining the data, retaining the abilities to do the forensics when they do get in is important.

Unknown

Yeah, it really speaks to that level of persistence that you measured that they're going to keep at it.

Dave Bitner

Yeah, exactly. And a lot of these targets in these cases are, you know, the political opposition side and human rights activists. These are individuals. They don't often have access to the high end endpoint detection or network filtering or email filtering capabilities. So they're very reliant on Google spam filter or their standard antivirus and things like that. So I think a lot of those folks just need to be really, really careful. If you're using Apple devices, Apple lockdown mode I highly recommend and whatever the Android equivalent of that is that I'm not sure of those, those work tremendously. So individuals have to take a little bit different approach, but it still can be done.

Unknown

For our listeners, what do you hope that they take away from checking out this research?

Dave Bitner

Yeah, I think a lot of it comes down to the willingness of diving into research that might not or threat actors that might not be super interesting. They can always lead to interesting stories. In this case we just see malicious documents and they've been reported on a million times in our industry by threat actors using them. But if you follow, follow the chains in today's world, it can often lead to interesting stories and even the most sophisticated actors out there are still using what works. And in many cases that is just a simple malicious document. So don't take the simplicity of the initial access method for granted. It's always still worth trying to research and dive into these actors and take them all seriously until you really know the true intention.

Tom Hagel

Our thanks to Tom Hagel from Sentinel Labs for joining us. The research is titled Ghost New Campaign targets Ukrainian Government and Belarusian Opposition. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our Existence executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here next time.