The phishing messages use a RAR-archive named “Saboteurs.rar”, which contains RAR-archive “Saboteurs 21.03.rar.”
This second archive contains SFX-archive “Saboteurs filercs.rar,” experts reported that the file name contains the right-to-left override (RTLO) character to mask the real extension.
The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “dhdhk0k34.com.”
The attack chain ends with the delivery of a malicious program Cobalt Strike Beacon. The “injector” is (“inject.exe”).
The attribution of the campaign to the GhostWriter APT (aka UAC-0051, UNC1151) is based on the code of the VBScript used in the attack.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals (representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the Belarusian government.
Sensitive technical information gathered by the researchers suggests the threat actors were operating from Minsk, Belarus under the control of the Belarusian Military.