Summary:
Belarusian state-sponsored hackers, UNC1151, targeted Ukraine’s Ministry of Defence and a military base in a new cyberespionage operation according to Cyble Research and Intelligence Labs. Mandiant Threat Intelligence uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO that has been active since March 2017 targeting audiences in Ukraine, Lithuania, Latvia, and Poland. The false information is distributed via compromised websites and spoofed email accounts. In the latest campaign, observed in April 2024 by researchers at the cybersecurity firm Cyble, the hackers sent their targets phishing emails with an attachment that contained drone image files and a malicious Microsoft Excel spreadsheet. Cyble discerns this is a targeted attack against the Ukrainian Military based on the drone image files and malicious Excel spreadsheet combined within the spam email.

The target is social engineered into enabling macros, thereby triggering the attack chain. A LNK file is then executed which executes a malicious DLL file. The DLL modifies the system’s security protocol settings to evade detection or carry out malicious activities. Due to the unavailability of the encrypted files, Cyble was unable to determine how the DLL files are used to deliver the final payload.

Security Officer Comments:
UNC1151 has made notable changes to their TTPs in this campaign when compared to their previous activity. In the previous campaign, the threat actor downloaded an encrypted JPG file using a DLL loader, which was then decrypted to deploy a final payload executable. In this campaign, the adversary likely downloads an encrypted SVG file, which decrypts to deliver another DLL payload file. When investigating, Cyble was unable to uncover the final payload executable but it is suspected to be either AgentTesla, Cobalt Strike beacons, and/or njRAT based on the previous UNC115 campaign. These Belarusian threat actors act as a criminal proxy for Russian military intelligence. UNC1151 is persistently conducting a malware campaign against Ukraine, continuously updating its TTPs to enhance its defensive evasion techniques with the goal of performing espionage to win the information war against Ukraine.

Suggested Corrections:
Recommendations from Cyble Research and Intelligence Labs:

• The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
• When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
• Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.
• Implement application whitelisting to restrict the execution of rundll32.exe to authorized processes and paths, reducing the risk of malware launching lnk files through this method.
• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
• Enhance system security by creating strong, distinct passwords for each account and, whenever feasible, activating two-factor authentication.
• Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
• Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods cybercriminals employ.

Cyble Research and Intelligence Labs has published relevant IOCs in its blog post.

Link(s):
https://therecord.media/belarus-hackers-ukraine-ministry-defense

https://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/