Select Page

A Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.

The method, which masquerades as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.

“Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,” Google’s Threat Analysis Group (TAG) said in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.

Among other groups using the war as a lure in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include Mustang Panda and Scarab as well as nation-state actors from Iran, North Korea, and Russia.

Also included in the list is Curious Gorge, a hacking crew that TAG has attributed to China’s People’s Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.

A third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Calisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defence contractor.

images from Hacker News