HQ/EMEAFind out how we can help your business
An alleged Belarusian-backed cybercriminal organisation utilised the PicassoLoader malware to target Ukrainian companies and government institutions.
According to reports, the notorious GhostWriter group, also known as UAC-0057, is the suspected hacker gang that deployed the malware. Researchers claimed that PicassoLoader is one of the group’s regular malicious toolsets, along with the Cobalt Strike Beacon backdoor, which they commonly used for their campaign.
The Ukrainian government-owned cybersecurity agency CERT-UA believes that the most likely targets of these attacks were local government offices and US representatives. Moreover, the Agency for International Development oversees civilian foreign aid and development assistance.
CERT-UA explained that the threat actors utilised phishing emails that included information about USAID’s Hoverla project, which attempts to modernise Ukraine’s local governance system. However, the email’s subject is a lure to bait their victims, capitalising on the ongoing war in the region.
However, the report does not state the campaign’s objective, although GhostWriter is famous mainly for its cyber espionage operations. Hence, other researchers suspect the group may be interested in Ukraine’s financial and economic indicators, taxation, and local self-government reform.
GhostWriter, with its PicassoLoader malware, has been a menace to Ukrainian organisations ever since Russia decided to execute an invasion of the country.
Earlier this month, the GhostWriter group used the PicassoLoader malware to target Ukrainian government organisations. In August last year, the same tool was used to attack Ukraine’s National Defense University.
The same group targeted Ukraine’s Ministry of Defense and a military base last month, indicating that Ukraine is the top priority for their campaigns.
According to an analysis a couple of years ago, GhostWriter is linked to the Belarusian government, and its campaigns correspond with Belarus’s claims. These details enable researchers to suspect that Russia may have some influence over the country’s decision-making and GhostWriter’s activities.
GhostWriter has also targeted other countries that became Kyiv’s allies, such as Lithuania, Latvia, and Poland. Lastly, the group is infamous for using the same malicious tools in operations, including the PicassoLoader, AgentTesla, Cobalt Strike Beacon, and njRAT.
Experts expect that the group will not slow down with its hostile acts against Ukraine anytime soon since even if it does not support Russia with its objective, it still takes advantage of the ongoing conflict to complete its missions.
