Cyble Research and Intelligence Labs (CRIL) researchers have observed a new sophisticated phishing campaign from the Belarusian government-linked threat actor “UNC1151” targeting the Ukraine Ministry of Defense to facilitate covert espionage operations.
UNC1151 has previously been linked to large-scale, long-running influence campaigns that align with Russia’s geopolitical interests and anti-NATO narratives.
UNC1151 Targets Ukraine Ministry of Defense With Phishing Lures
Researchers from Mandiant had earlier tracked the group’s operations that were active since at least 2017 as the “Ghostwriter Operation/UNC1151.” The researchers concluded that the campaign was aimed at spreading pro-Russian narratives and disinformation to targeted audiences in Ukraine, Lithuania, Latvia and Poland.
Recently, CRIL researchers discovered a new campaign from the Belarusian group targeting the Ukrainian and Polish government, with primary focus on the Ukranian Ministry of Defense and the Ukrainian military, with socially-engineered malicious Excel worksheet (XLS) files, since at least April 2024.
These files, purporting to be official documents, are distributed to victims through the use of spam emails. Once the spreadsheet is opened, an “Enable Content” button attempts to direct victims into inadvertently initiating the execution of an embedded VBA (Visual Basic for Applications) macro.
This malicious macro file drops a shortcut file (LNK) and a malicious DLL (dynamic-link library) file on the victim’s system. Execution of the LNK shortcut file then initiates the DLL file through the use of the operating system’s built-in Rundll32.exe file (commonly abused to load malicious DLLs), with the DLL leading to the infection of the system through the use of hidden and encrypted seemingly innocuous “.svg” image files.
The researchers observed a hidden DLL file upon decrypting these .svg image files, concluding that it likely leads to the final payload, citing a Talos Intelligence study of the group’s campaign last year where researchers observed the use of “.jpg” image files to deliver payloads. However, CRIL researchers were unable to retrieve the final encrypted payloads from these .svg files, suggesting improved obfuscation practices.
They suspect that the final payload potentially includes the same vicious malware such as njRAT, AgentTesla, and Cobalt Strike that were present in the encrypted .jpg image files observed in the previous campaign. The researchers believe the payload aims at exfiltrating information from infected systems in addition to establishing unauthorized remote control over them.
Previous UNC1151 Campaign and Advancements
Inspection of the lure documents in the recent phishing campaign led the researchers to suspect that it primarily targeted the Ukraine Ministry of Defense. The researchers highlighted the similarity and differences in the recent campaign to an earlier campaign last year targeting the Ukrainian and Polish government, along with their military and civilians.
The 2023 campaign similarly operated through the use of Excel and PowerPoint files to trick users into running hidden macro code, which led to the load of malicious .LNK shortcut files and DLL files on the infected system.
However, the newer campaign employed different phishing lures such as images of drones, and the document purports to be from the Ukrainian Ministry of Defense. While the encrypted .jpg image files in the previous campaign directly concealed an .EXE file, the new campaign’s .svg image files instead concealed an additional malicious DLL file. This DLL file is loaded into the system’s temporary directory (%Temp%) and run through the use of the legitimate Rundll32.exe present on the Windows operating system.
The researchers cite these variances as an example of the group’s evolving tactics, with a sustained effort to compromise Ukrainian targets for strategic gain. The researchers recommend the use of email filtering systems, verification of the identity of email senders, limiting the execution of scripting languages, setup of network-level monitoring, and regular backup of important data.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
