Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) in a new alert stated that it recorded a surge in activity of the UAC-0057 (Aka GhostWriter) group between July 12 to 18, 2024. This activity consisted of the distribution of documents with macros designed to launch a malicious loader malware called PiccasoLoader which would further deploy Cobalt strike (post-exploitation tool) on the victim’s computer. Notably, these documents used baits related to local government reform, taxation, and financial-economic metrics. Based on the lures employed, CERT-UA suspects that the targets of the latest campaign consist of both project office specialists and their counterparts among the employees of relevant local government bodies in Ukraine.

Security Officer Comments:
This activity seems to be a part of a broader cyber espionage campaign targeting the Ukrainian government. Back in March 2022, CERT-UA highlighted a similar spear-phishing campaign launched by UAC-0057 targeting Ukrainian state entities with Cobalt Strike beacons. The latest campaign has a similar motive where the actors are using their access to spy on employees at Ukrainian government bodies and steal data of interest that could serve a geopolitical advantage. According to researchers, GhostWriter is linked to the government of Belarus, and its motives are closely aligned with the security interests of Russia, a nation that Belarus has strong economic and political ties with. In August 2020, this threat group was observed launching a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

Suggested Corrections:
IOCs relevant to this campaign have been published by CERT-UA and can be accessed here.

Link(s):
https://securityaffairs.com/166265/intelligence/belarus-apt-ghostwriter-targeted-ukraine.html