A new threat actor group has been observed conducting a series of cyber-attacks targeting government entities, military organizations and civilian users in Ukraine and Poland.
According to a new advisory by Cisco Talos, the malicious campaigns started in April 2022 and are currently ongoing. They primarily aim at stealing valuable information and establishing persistent remote access.
“Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government,” Cisco Talos wrote.
The attacks employ a sophisticated multistage infection chain, with the initial point of entry involving malicious Microsoft Office documents, particularly in Excel and PowerPoint formats. These documents utilize concealed executable downloaders and payloads embedded within image files, making detection more challenging.
The primary focus of these campaigns is on government and military entities in Ukraine and Poland. The threat actors employ social engineering techniques, using authentic-looking images and text.
“The purpose of these socially engineered lures is to convince the targeted users to enable macros, thereby allowing the execution chain to commence,” Cisco Talos explained.
Read more on macro-focused attacks: North Korean APT Kimsuky Launches Global Spear-Phishing Campaign
Ukrainian and Polish businesses, as well as general users, have reportedly fallen victim to these campaigns through deceptive Excel spreadsheets masquerading as value-added tax (VAT) return forms.
Analysis of the attacks has revealed the deployment of various malicious payloads, including the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT. These payloads enable the threat actors to steal information and gain remote control over compromised systems.
To mitigate the risk posed by these cyber-attacks, Cisco Talos recommended implementing comprehensive security measures. The security firm has also included in its advisory a comprehensive list of indicators of compromise (IoC) associated with these threats.