Belarusian ‘Ghostwriter’ Player Uses BitB for Ukraine-Linked Attacks!

Belarusian ‘Ghostwriter’ Player Uses BitB for Ukraine-Linked Attacks!

Ghostwriter is one of 3 campaigns using war-themed attacks coming in from government-backed actors in China, Iran, North Korea & Russia.

Ghostwriter – a threat player previously linked with the Belarusian Ministry of Defence – has morphed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.

Govt.-Backed

In a Wed. post, Google’s Threat Analysis Group (TAG) revealed that they’d already spotted BitB being used by multiple govt.-backed players prior to the media turning their eye on BitB earlier this month.

The attention was triggered by a penetration tester & security researcher – who goes by the handle ‘mr.d0x’ – who posted a description of BitB.

Ghostwriter players quickly noticed BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: i.e., hosting credential-phishing landing pages on compromised sites.

BitB

The newly disclosed credential-phishing method of BitB  takes advantage of 3rd-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.

These days, SSO popups are a routine way to authenticate when you sign in.

However, according to mr.d0x’s post, completely creating a malicious version of a popup window is easy: It’s “quite simple” using basic HTML/CSS, the researcher explained a few weeks ago. The popups simulate a browser window within the browser, spoofing a legitimate domain, & making it possible to stage convincing phishing attacks.

Malicious Server

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, & it’s basically indistinguishable,” mr.d0x wrote then.

JavaScript can make the window appear on a link, button click or page loading screen. Also, libraries – such as the popular JQuery JavaScript library – can make the window appear visually attractive.

Phishing on Compromised Sites

TAG gave an example, of how Ghostwriter has hosted credential phishing landing pages on compromised sites:

The BitB technique consists of drawing a login page that appears to be on the passport.i.ua domain, over the page hosted on the compromised site. “Once a user provides credentials in the dialog, they are posted to an attacker-controlled domain,” TAG researchers explained.

TAG has recently observed Ghostwriter credential-phishing on these domains:

  • login-verification[.]top
  • login-verify[.]top
  • ua-login[.]top
  • secure-ua[.]space
  • secure-ua[.]top

Other Campaigns Launched by Govt.-Backed Players

Since early March, Ghostwriter’s use of BitB is only 1 of a trio of cyber aggressions that TAG has been tracking with regards to Russia’s invasion of Ukraine.

The use of the war as a lure in phishing & malware campaigns has continued to grow throughout March, TAG stated, with associated cyber-assaults coming in from govt.-backed players from China, Iran, N. Korea & Russia, as well as from various ‘unattributed’ groups, according to TAG’s post.

Players “have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” TAG stated.

‘Curious Gorge’

Besides Ghostwriter’s BitB campaigns, TAG has seen a group it is calling Curious Gorge that it attributes to China’s PLA SSF conducting campaigns against govt. & military organisations in Ukraine, Russia, Kazakhstan & Mongolia.

“While this activity largely does not impact Google products, we remain engaged & are providing notifications to victim organisations,” TAG advised.

Below is a list of IPs used in Curious Gorge campaigns that TAG has recently observed:

  • 5.188.108[.]119
  • 91.216.190[.]58
  • 103.27.186[.]23
  • 114.249.31[.]171
  • 45.154.12[.]167

COLDRIVER

Finally, TAG has also observed COLDRIVER – a Russia-based threat player, sometimes referred to as Calisto – that has launched credential-phishing campaigns targeting several US-based NGOs & think tanks, the military of a Balkans country, & a Ukraine based defence contractor.

Now, however, for the 1st time, COLDRIVER is targeting the military of multiple Eastern European countries & a NATO Centre of Excellence, TAG reported.

Gmail Accounts

Google does not know how successful these campaigns have been, given that they were issued from newly created Gmail accounts to non-Google accounts. Also, Google has not seen any Gmail accounts successfully compromised because of these campaigns, TAG outlined.

Recently observed COLDRIVER credential phishing domains:

  • protect-link[.]online
  • drive-share[.]live
  • protection-office[.]live
  • proton-viewer[.]com

 

SHARE ARTICLE