PicassoLoader Malware
Infosec experts have identified a series of cyberattack campaigns against targets in Ukraine and Poland. Cybercriminals are focused on compromising government entities, military organizations and civilian users. These campaigns aim to illicitly obtain sensitive data and establish continuous remote access to the compromised systems.
Spanning a period from April 2022 to July 2023, this intrusion campaign utilizes various tactics. Phishing lures and decoy documents are employed to deceive victims and facilitate the deployment of a downloader malware known as PicassoLoader. This threatening software serves as a gateway to launch other unsafe tools, specifically the Cobalt Strike Beacon and njRAT.
Phishing lures are deceptive techniques used to trick individuals into disclosing sensitive information, such as usernames, passwords or account credentials. Decoy documents are disguised files designed to appear legitimate but actually contain unsafe payloads. By enticing victims to interact with these decoy documents, the attackers can execute the PicassoLoader downloader onto their systems.
Once PicassoLoader is successfully deployed, it serves as a conduit for the next stage of the attack. It enables the installation and execution of two additional types of malware: the Cobalt Strike Beacon and njRAT. The Cobalt Strike Beacon is a sophisticated penetration testing tool that allows attackers to gain unauthorized access and control over compromised systems. As for njRAT, it is a remote access trojan that provides the attackers with unauthorized remote access to the infected systems, allowing them to carry out malicious activities undetected.
Table of Contents
The PicassoLoader Malware is Deployed as Part of a Multistage Infection Chain
The attackers behind PicassoLoader utilized a multistage infection chain to carry out their harmful activities. The initial stage involved the use of compromised Microsoft Office documents, with Microsoft Excel and PowerPoint file formats being the most commonly employed. These documents serve as the starting point for the attack.
Following the Office documents, an executable downloader and payload are concealed within an image file. This tactic was likely employed to make the detection of the downloader and payload more challenging for security systems. By hiding within an image file, the attackers aim to bypass security measures and increase the chances of successful infiltration.
Some of these attacks have been attributed to a threat actor known as GhostWriter, also tracked as UAC-0057 or UNC1151. The motivations and objectives of GhostWriter are believed to align with the interests of the Belarusian government.
Numerous Targeted Attacks against Ukraine Have Become Observed
It is worth mentioning that a subset of these attacks had already been documented over the past year by Ukraine's Computer Emergency Response Team (CERT-UA). One notable example occurred in July 2022, where macro-laden PowerPoint documents were employed to deliver the Agent Tesla malware. This incident highlighted the use of macros as a means to distribute malware and compromise victims' systems.
The infection chains used in these attacks rely on social engineering methods to convince victims to enable macros within the Office documents. Once the macros are enabled, a VBA macro is triggered, leading to the deployment of the PicassoLoader DLL downloader threat. This downloader then establishes a connection with a site controlled by the attackers to retrieve the next-stage payload, which is embedded within a seemingly legitimate image file. The final malware is concealed within this image file.
These recent disclosures by CERT-UA coincide with their reporting on several phishing operations distributing the SmokeLoader malware. Additionally, a smishing attack was identified, targeting Telegram users with the objective of gaining unauthorized control over their accounts.
GhostWriter is Just One of the Cybercrime Groups Targeting Ukraine
Ukraine has become a target for multiple threat actors, including the notorious Russian nation-state group APT28. APT28 has been observed employing a tactic of sending phishing emails with HTML attachments, tricking recipients into believing there is suspicious activity in their UKR.NET and Yahoo! accounts. The emails prompt users to change their passwords but instead, lead them to fake landing pages designed to collect their login credentials.
This recent development is part of a broader pattern observed in the activities of Russian military intelligence (GRU)-associated hackers. They have adopted a 'standard five-phase playbook' in their disruptive operations against Ukraine, demonstrating a deliberate effort to enhance the speed, scale, and intensity of their attacks.
