Cybersecurity researchers have uncovered new details about the infrastructure used by the Ghostwriter advanced persistent threat (APT) group to launch cyber attacks, primarily targeting Ukraine and other Eastern European countries.
The findings, published by multiple security firms, shed light on the sophisticated tactics employed by this Belarus-linked threat actor.
Ghostwriter, also known as UNC1151 and UAC-0057, has been active since at least 2016, focusing on cyber espionage and disinformation campaigns.
In recent months, the group has intensified its efforts against Ukrainian military and government targets.
Researchers from Fortinet, Cyble, Deep Instinct, and the Computer Emergency Response Team of Ukraine (CERT-UA) have collaboratively mapped out Ghostwriter’s infrastructure by analyzing indicators of compromise (IOCs) across multiple campaigns.
A key discovery was the identification of a pattern in domain registration and hosting practices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
The group consistently uses domains with the “.shop” generic top-level domain (gTLD), registers them through PublicDomainRegistry, and utilizes Cloudflare name servers.
This pattern allowed researchers to link previously unconnected domains to Ghostwriter’s operations.
One domain, “goudieelectric[.]shop”, appeared in reports from both Cyble and Fortinet, serving as a pivotal point for further investigation. Analysis of this and other domains revealed common characteristics, including the presence of a robots.txt file, which helped confirm their association with Ghostwriter.
By pivoting on these shared attributes, researchers uncovered at least 24 domains likely created by the APT group, including:
- backstagemerch[.]shop
- bryndonovan[.]shop
- chaptercheats[.]shop
- disneyfoodblog[.]shop
- goudieelectric[.]shop
- kingarthurbaking[.]shop
- medicalnewstoday[.]shop
- thevegan8[.]shop
The group’s attack chain typically begins with spear-phishing emails containing malicious XLS macro documents.
When opened, these documents download a malicious DLL file from one of the identified domains, ultimately leading to the deployment of Cobalt Strike Beacons for further network exploitation.
This infrastructure analysis provides valuable insights into Ghostwriter’s operations, enabling better detection and mitigation strategies.
While besides this, researchers strongly urged to have collaborative threat intelligence sharing and infrastructure pivoting techniques that helps in uncovering the full scope of APT activities.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
