This Picasso is a con artist – an update on the latest Ghostwriter activities
Ghostwriter is a name used for a set of activities clustered around misinformation campaigns conducted by at least two threat actor groups, UNC2589 and UNC1151 (based on the Mandiant naming). Based on the previous research, the main goal of conducting the Ghostwriter malicious activities is to harvest journalist credentials in countries neighboring Belarus and using the credentials to publish news articles with false information about the events influencing relationships between the targeted countries. Since the beginning of the war in Ukraine, Ghostwriter activities have shifted their attention to the government, military and business users in Ukraine in Poland. These activities have been attributed by the Computer Emergency Response Team of Ukraine (CERT-UA) mostly to UNC1151. In the second half of the year, we discovered several new campaigns attributed to UNC1151, which allowed us to discover earlier campaigns, reaching back to April 2022. The campaigns were using official documents as lures with a multistage infection process that uses different techniques to drop and run a sample of previously undocumented .NET downloader, Picasso Loader. The loader is used to download, decrypt and reflectively load the final payload, which is appended to an image file and hosted by the infrastructure controlled by the attackers. The latest campaign (end of August, 2023), makes use of the vulnerability in parsing ZIP archives by the WinRAR archiver (CVE-2023-38831), allowing the actors to launch a Javascript equivalent of the Picasso loader in the background when a malicious ZIP file is opened by the victim. This last minute presentation will document the latest activities attributed to UNC1151. In addition to that we will provide attendees with the background information required to understand the wider context and the origin of Ghostwriter activities, which can be traced all the way back to 2016.
Mr. Vanja Svajcer
Vanja Svajcer works as a Technical Leader at Cisco Talos. He is a security researcher with more than 20 years of experience in malware research, cyber threat intelligence and detection development.
Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks all the time spent hunting in telemetry data to find new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalCCon and others.