Ghostwriter Malware Attacks Government Organizations Using Weaponized XLS File

A new wave of cyberattacks linked to the Ghostwriter Advanced Persistent Threat (APT) group has been identified, targeting Ukrainian government agencies, military organizations, and Belarusian opposition activists.

This campaign, active since late 2024, employs weaponized Excel (.XLS) files embedded with obfuscated macros to deliver malware payloads, marking an evolution in Ghostwriter’s tactics.

Sophisticated Campaign Targets Ukrainian and Belarusian Entities

The malicious campaign leverages socially engineered lures tailored to its targets.

For instance, one Excel file titled “Political Prisoners in Minsk Courts” was distributed via phishing emails containing a downloadable RAR archive.

Upon opening the Excel document, users unknowingly activated a hidden VBA macro that deployed a malicious DLL file disguised as “Realtek(r)Audio.dll.”

This file executed a .NET assembly designed to download additional payloads while evading detection through advanced obfuscation techniques like ConfuserEx.

The decoy documents used in these attacks appear credible, containing content such as lists of criminal charges and judicial information.

However, this data was publicly available, likely used to enhance the authenticity of the lure.

In one instance, the malware fetched an image file from a command-and-control (C2) server but delivered no additional payload during analysis.

Researchers suspect that actual targets receive more harmful payloads after attackers verify their identity through IP address profiling and browser fingerprinting.

Further analysis revealed multiple related weaponized Excel files with themes such as anti-corruption initiatives and military supply reports, all tailored to Ukrainian audiences.

These files utilized similar tactics: Macropack-obfuscated VBA macros to execute malicious DLLs and download subsequent stages from compromised domains using hardcoded User-Agent strings mimicking legitimate browsers.

Malware Exploits Excel Macros to Deploy Advanced Payloads

Ghostwriter’s malware arsenal includes a simplified version of PicassoLoader, a downloader previously associated with the group.

This tool dynamically modifies itself in memory to evade detection and executes secondary stages such as LibCMD, which enables remote command execution via cmd.exe.

The attackers also employed deceptive techniques like embedding malicious code in seemingly benign image files hosted on cloned websites with altered domain extensions (e.g., “.shop” instead of “.com”).

Attribution links this campaign to Ghostwriter (also known as UNC1151 or UAC-0057), a group tied to Belarusian state interests.

The malware’s technical sophistication underscores its purpose: espionage against entities opposing Belarus and its allies.

Ghostwriter has consistently targeted Ukraine throughout 2024, leveraging cyber operations to support geopolitical objectives amid ongoing regional tensions.

Organizations in Ukraine and neighboring regions are advised to remain vigilant against phishing campaigns and implement robust email filtering and endpoint protection measures.

SentinelLabs researchers continue to monitor Ghostwriter’s activity and encourage potential victims to report suspicious incidents for further investigation.

Also Read:

Angry Likho APT Attacks Users to Steal Browser Credentials and Card Data

See more