PicassoLoader Used in Targeted Attacks in Ukraine, Poland

A series of targeted campaigns has been launched to acquire sensitive information and establish persistent remote access to compromised systems in Ukraine and Poland. Government bodies, military organizations, and civilians have fallen victim to these attacks.

Spanning from April 2022 to July 2023, these intrusions employ various tactics, including phishing lures and decoy documents. One prominent malware used in this scheme is PicassoLoader, which is deployed through downloader malware. Once infected, the systems are then compromised using Cobalt Strike Beacon and njRAT.

Cisco Talos researcher Vanja Svajcer explained that the attacks involve multiple stages, starting with malicious Microsoft Office documents, commonly in Excel or PowerPoint formats. Subsequently, an executable downloader and payload concealed within an image file are utilized to evade detection.

The GhostWriter threat actor, also known as UAC-0057 or UNC1151, is believed to be responsible for some of these activities. Their motives align with those of the Belarusian government.

It's worth noting that a subset of these attacks has already been reported in the past year by Ukraine's CERT-UA and Fortinet FortiGuard Labs. One instance involved the use of macro-laden PowerPoint documents to distribute Agent Tesla malware in July 2022.

The infection chains are designed to persuade victims to enable macros, leading to the deployment of a DLL downloader called PicassoLoader. This downloader then communicates with a website controlled by the attacker to fetch the final malware, which is embedded within a legitimate image file.

CERT-UA recently revealed a series of phishing operations distributing SmokeLoader malware, as well as a smishing attack aimed at taking unauthorized control of Telegram accounts.

More Threat Actors Targeting Ukraine

In a separate incident, CERT-UA disclosed a cyber espionage campaign targeting state organizations and media representatives in Ukraine. This campaign utilized email and instant messengers to distribute files that, when launched, executed a PowerShell script called LONEPAGE. This script fetched next-stage payloads such as a browser stealer (THUMBCHOP) and a keylogger (CLOGFLAG).

GhostWriter is just one of several threat actors that have targeted Ukraine. APT28, a Russian nation-state group, is also known to have used HTML attachments in phishing emails. These emails prompt recipients to change their passwords for UKR.NET and Yahoo! accounts due to alleged suspicious activity. However, the links redirect victims to fake landing pages designed to steal their credentials.

These developments coincide with the Russian military intelligence (GRU) hackers adopting a "standard five-phase playbook" for their disruptive operations against Ukraine. This strategy aims to intensify the speed, scale, and impact of their attacks.