Cyber News Group
View Events

Belarusian ‘Ghostwriter’ Player Uses BitB for Ukraine-Linked Attacks!

Belarusian ‘Ghostwriter’ Player Uses BitB for Ukraine-Linked Attacks!

Ghostwriter is one of 3 campaigns using war-themed attacks coming in from government-backed actors in China, Iran, North Korea & Russia.

Ghostwriter – a threat player previously linked with the Belarusian Ministry of Defence – has morphed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.

Govt.-Backed

In a Wed. post, Google’s Threat Analysis Group (TAG) revealed that they’d already spotted BitB being used by multiple govt.-backed players prior to the media turning their eye on BitB earlier this month.

The attention was triggered by a penetration tester & security researcher – who goes by the handle ‘mr.d0x’ – who posted a description of BitB.

Ghostwriter players quickly noticed BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: i.e., hosting credential-phishing landing pages on compromised sites.

BitB

The newly disclosed credential-phishing method of BitB  takes advantage of 3rd-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.

These days, SSO popups are a routine way to authenticate when you sign in.

However, according to mr.d0x’s post, completely creating a malicious version of a popup window is easy: It’s “quite simple” using basic HTML/CSS, the researcher explained a few weeks ago. The popups simulate a browser window within the browser, spoofing a legitimate domain, & making it possible to stage convincing phishing attacks.

Malicious Server

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, & it’s basically indistinguishable,” mr.d0x wrote then.

JavaScript can make the window appear on a link, button click or page loading screen. Also, libraries – such as the popular JQuery JavaScript library – can make the window appear visually attractive.

Phishing on Compromised Sites

TAG gave an example, of how Ghostwriter has hosted credential phishing landing pages on compromised sites:

The BitB technique consists of drawing a login page that appears to be on the passport.i.ua domain, over the page hosted on the compromised site. “Once a user provides credentials in the dialog, they are posted to an attacker-controlled domain,” TAG researchers explained.

TAG has recently observed Ghostwriter credential-phishing on these domains:

  • login-verification[.]top
  • login-verify[.]top
  • ua-login[.]top
  • secure-ua[.]space
  • secure-ua[.]top

Other Campaigns Launched by Govt.-Backed Players

Since early March, Ghostwriter’s use of BitB is only 1 of a trio of cyber aggressions that TAG has been tracking with regards to Russia’s invasion of Ukraine.

The use of the war as a lure in phishing & malware campaigns has continued to grow throughout March, TAG stated, with associated cyber-assaults coming in from govt.-backed players from China, Iran, N. Korea & Russia, as well as from various ‘unattributed’ groups, according to TAG’s post.

Players “have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” TAG stated.

‘Curious Gorge’

Besides Ghostwriter’s BitB campaigns, TAG has seen a group it is calling Curious Gorge that it attributes to China’s PLA SSF conducting campaigns against govt. & military organisations in Ukraine, Russia, Kazakhstan & Mongolia.

“While this activity largely does not impact Google products, we remain engaged & are providing notifications to victim organisations,” TAG advised.

Below is a list of IPs used in Curious Gorge campaigns that TAG has recently observed:

  • 5.188.108[.]119
  • 91.216.190[.]58
  • 103.27.186[.]23
  • 114.249.31[.]171
  • 45.154.12[.]167

COLDRIVER

Finally, TAG has also observed COLDRIVER – a Russia-based threat player, sometimes referred to as Calisto – that has launched credential-phishing campaigns targeting several US-based NGOs & think tanks, the military of a Balkans country, & a Ukraine based defence contractor.

Now, however, for the 1st time, COLDRIVER is targeting the military of multiple Eastern European countries & a NATO Centre of Excellence, TAG reported.

Gmail Accounts

Google does not know how successful these campaigns have been, given that they were issued from newly created Gmail accounts to non-Google accounts. Also, Google has not seen any Gmail accounts successfully compromised because of these campaigns, TAG outlined.

Recently observed COLDRIVER credential phishing domains:

  • protect-link[.]online
  • drive-share[.]live
  • protection-office[.]live
  • proton-viewer[.]com

 

SHARE ARTICLE

OTHER ARTICLES

RELATED ARTICLES

View All Articles
Cyber News TV
Cyber News Events

This is the next generation of conference networking. At Cyber News Group, we have built our stellar reputation on our unique conference experiences for the cybersecurity space. We had the honour of hosting premium events, both in-person and virtual, for leading figures in the public and private sector, providing industry insights, networking opportunities, and sponsor showcases. We wanted to use our extensive database to bring people together – to bring some light to the situation.

Head Office: Hilton House 71-73 Chapel Street Manchester M3 5BZ

Switchboard Number: 0845 307 6277

General Enquiries: info@cybernewsgroup.co.uk

News: news@cybernewsgroup.co.uk

Web Designer – Pixel Created LTD
X-twitter Youtube Linkedin