Ghostwriter is one of 3 campaigns using war-themed attacks coming in from government-backed actors in China, Iran, North Korea & Russia.
Ghostwriter – a threat player previously linked with the Belarusian Ministry of Defence – has morphed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.
Govt.-Backed
In a Wed. post, Google’s Threat Analysis Group (TAG) revealed that they’d already spotted BitB being used by multiple govt.-backed players prior to the media turning their eye on BitB earlier this month.
The attention was triggered by a penetration tester & security researcher – who goes by the handle ‘mr.d0x’ – who posted a description of BitB.
Ghostwriter players quickly noticed BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: i.e., hosting credential-phishing landing pages on compromised sites.
BitB
The newly disclosed credential-phishing method of BitB takes advantage of 3rd-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.
These days, SSO popups are a routine way to authenticate when you sign in.
However, according to mr.d0x’s post, completely creating a malicious version of a popup window is easy: It’s “quite simple” using basic HTML/CSS, the researcher explained a few weeks ago. The popups simulate a browser window within the browser, spoofing a legitimate domain, & making it possible to stage convincing phishing attacks.
Malicious Server
“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, & it’s basically indistinguishable,” mr.d0x wrote then.
JavaScript can make the window appear on a link, button click or page loading screen. Also, libraries – such as the popular JQuery JavaScript library – can make the window appear visually attractive.
Phishing on Compromised Sites
TAG gave an example, of how Ghostwriter has hosted credential phishing landing pages on compromised sites:
The BitB technique consists of drawing a login page that appears to be on the passport.i.ua domain, over the page hosted on the compromised site. “Once a user provides credentials in the dialog, they are posted to an attacker-controlled domain,” TAG researchers explained.
TAG has recently observed Ghostwriter credential-phishing on these domains:
- login-verification[.]top
- login-verify[.]top
- ua-login[.]top
- secure-ua[.]space
- secure-ua[.]top
Other Campaigns Launched by Govt.-Backed Players
Since early March, Ghostwriter’s use of BitB is only 1 of a trio of cyber aggressions that TAG has been tracking with regards to Russia’s invasion of Ukraine.
The use of the war as a lure in phishing & malware campaigns has continued to grow throughout March, TAG stated, with associated cyber-assaults coming in from govt.-backed players from China, Iran, N. Korea & Russia, as well as from various ‘unattributed’ groups, according to TAG’s post.
Players “have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” TAG stated.
‘Curious Gorge’
Besides Ghostwriter’s BitB campaigns, TAG has seen a group it is calling Curious Gorge that it attributes to China’s PLA SSF conducting campaigns against govt. & military organisations in Ukraine, Russia, Kazakhstan & Mongolia.
“While this activity largely does not impact Google products, we remain engaged & are providing notifications to victim organisations,” TAG advised.
Below is a list of IPs used in Curious Gorge campaigns that TAG has recently observed:
- 5.188.108[.]119
- 91.216.190[.]58
- 103.27.186[.]23
- 114.249.31[.]171
- 45.154.12[.]167
COLDRIVER
Finally, TAG has also observed COLDRIVER – a Russia-based threat player, sometimes referred to as Calisto – that has launched credential-phishing campaigns targeting several US-based NGOs & think tanks, the military of a Balkans country, & a Ukraine based defence contractor.
Now, however, for the 1st time, COLDRIVER is targeting the military of multiple Eastern European countries & a NATO Centre of Excellence, TAG reported.
Gmail Accounts
Google does not know how successful these campaigns have been, given that they were issued from newly created Gmail accounts to non-Google accounts. Also, Google has not seen any Gmail accounts successfully compromised because of these campaigns, TAG outlined.
Recently observed COLDRIVER credential phishing domains:
- protect-link[.]online
- drive-share[.]live
- protection-office[.]live
- proton-viewer[.]com
