• Fri. Oct 13th, 2023

Attacks Against Ukraine and Poland Continue to Use the PicassoLoader Malware

Avatar photo

ByEsme Greene

Aug 18, 2023
PicassoLoader malware still targets Ukraine, Poland
Esme Greene
Latest posts by Esme Greene (see all)

The incursion set, which spans the months between April 2022 and July 2023, uses phishing lures and fake documents to launch PicassoLoader, a downloader virus that serves as a conduit for Cobalt Strike Beacon and njRAT.

According to a recent analysis by Cisco Talos researcher Vanja Svajcer, “the attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most frequently using Microsoft Excel and PowerPoint file formats.” This was followed by an executable downloader and payload that was hidden inside an image file, making it more likely that it would go undetected.

What is Known About the Hacker Campaigns

A threat actor known as GhostWriter (also known as UAC-0057 or UNC1151), whose objectives are alleged to coincide with the Belarusian government, has been blamed for some of the actions.

It’s important to note that a portion of these assaults have previously been identified during the last year by the Computer Emergency Response Team of Ukraine (CERT-UA) and Fortinet FortiGuard Labs; one of these attacks, which occurred in July 2022, used PowerPoint documents with macros to spread the Agent Tesla malware.

The discovery comes after CERT-UA described several phishing campaigns that disseminated the SmokeLoader malware as well as a smishing attack intended to take over victim’ Telegram accounts without their knowledge.

CERT-UA revealed a cyber espionage campaign last month that targets state organizations and media representatives in Ukraine. The campaign distributes files via email and instant messengers, and when it is launched, a PowerShell script called LONEPAGE is run to retrieve additional payloads, including a browser stealer (THUMBCHOP) and a keylogger (CLOGFLAG).

More Attacks

This also applies to the Russian nation-state group APT28, which has been seen using HTML attachments in phishing emails that demand recipients change their UKR.NET and Yahoo! passwords because suspicious activity has been discovered in their accounts in order to direct them to fake landing pages that steal their credentials.

The finding also comes after Russian military intelligence (GRU)-affiliated hackers used a “standard five-phase playbook” in their disruptive activities targeting Ukraine in a “deliberate effort to boost the speed, scale, and intensity” of their assaults.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.