Ghostwriter Campaign Targets Ukraine and Belarus: Cybersecurity Threat Analysis

As cyber analysts, we’ve been tracking a recent campaign attributed to the threat actor known as Ghostwriter (also referred to as Moonscape, TA445, UAC-0057, and UNC1151). This actor is linked with Belarusian government espionage efforts and supports Russian security interests, frequently targeting NATO. Documented extensively since 2016, Ghostwriter’s latest campaign is noteworthy for its expanded targeting towards Belarusian opposition, amidst ongoing activities in Ukraine.

Overview of the Ghostwriter Campaign

This campaign shows a shift in Ghostwriter’s typical focus. Preparation began in July-August 2024, with the campaign becoming active in November-December 2024 and is still ongoing. Historically targeting Ukrainian entities, this operation now includes Belarusian opposition activists, paralleling the Belarusian government’s crackdown on its opposition post the January 26, 2025 presidential election.

Technical Insights into the Campaign

• Initial Access Vector: The campaign frequently employs weaponized Microsoft Excel documents, starting with a Google Drive link. Often, this leads to a RAR archive download containing a malicious Excel workbook.
• Malware Deployment: If macros are enabled, an obfuscated VBA macro executes. The macro, often obfuscated using Macropack, unfolds through stages, eventually deploying a downloader.
• Code Obfuscation: The .NET assembly within the DLL is obfuscated using ConfuserEx, a recurring technique in Ghostwriter’s toolkit throughout 2024.
• Execution: The DLL runs using processes like regsvr32.exe or rundll32.exe, calling an exported function designed for stealthy operation.

Analysis of Downloader Attributes

The downloader employed in these attacks exhibits significant sophistication, incorporating multiple evasion techniques:

• Memory Duplication: The downloader duplicates itself in memory, decrypting additional code to thwart detection.
• Portable Executable (PE) Modifications: By altering the PE header and breaking links, it challenges security software attempts to detect .NET modules.

Payload Retrieval

• First Method: The downloader may retrieve a JPG file from altered .shop domains, believed to deliver malicious DLLs based on target profiling.
• Second Method: Other variants fetch files disguised as JPGs, involving downloading and building executable code on the victim’s system.
• Unique Aspects: Different variants exhibit distinct User-Agent strings, mimicking browsers to appear legitimate.

Remediation and Recommendations for Cybersecurity Teams

Identifying Threat Patterns

• Monitor for unusual attachment types and links within emails, focusing on Excel documents with VBA macros.
• Inspect network traffic for bizarre .shop domain requests and mismatched content types.

Containment Strategies

• Implement application whitelisting to prevent unauthorized macro execution in Office files.
• Utilize sandbox environments for opening suspicious attachments to observe potential malicious behaviors.

Mitigation Practices

• Engage in routine patching of Office applications to protect against exploitative vulnerabilities.
• Deploy advanced EDR (Endpoint Detection and Response) solutions capable of tracing and responding to atypical DLL loading activities.

Preventative Measures

• Conduct regular cybersecurity awareness training focusing on phishing and spear-phishing tactics.
• Enforce strict policies regarding macro execution by default disabling and educating staff on risks.

This Ghostwriter campaign underlines the actor’s evolving tactics, exploiting political contexts for cyber espionage. By harnessing robust detection mechanisms and proactive defense strategies, organizations can better mitigate such sophisticated threats, protecting against continuous state-linked espionage campaigns.