The Belarus-based operator of an organized and ongoing disinformation campaign in Europe called “Ghostwriter” is using a new, hard-to-detect phishing technique to target organizations in Ukraine just days after a researcher highlighted the method in a blog post.
The method, dubbed browser-in-the-browser, basically involves the threat actor drawing a browser window within a browser to impersonate the entire pop-up login window — including URL — of a legitimate domain. Users get fooled into entering login details when they land on these spoofed account login windows because the URL looks legitimate.
Researchers from Google’s Threat Analysis Group (TAG) highlighted Ghostwriter’s use of the new tactic in an update this week on recent malicious activities it has observed from numerous threat actors that either are related to the war in Ukraine or are using it as a lure.
In a blog post, a researcher from TAG said the group had observed the operator of Ghostwriter in recent days combine the use of the browser-in-browser tactic with a previous trick it has used of hosting phishing pages on compromised sites. The researcher described the browser-in-browser tactic as something the group had only previously observed multiple government-backed actors quietly using in phishing campaigns.
The Ghostwriter operator’s use of the new browser phishing technique highlights a threat dynamic that isn’t often discussed, says Casey Ellis, founder and CTO at Bugcrowd. “Increased scrutiny of attacker tactics, and subsequent sharing of those tactics, broadens the potential audience for those techniques,” he says.
Google’s update on Ghostwriter follows recent warnings from others, including Ukraine’s Computer Emergency Response Team (CERT-UA) and vendors such as Mandiant, about the threat group’s widespread credential phishing attacks against Ukrainian military personnel and other individuals in the days leading up to and during the war.
The Ghostwriter campaign is one of several tied to Ukraine that Google has been tracking in recent weeks. According to TAG, nation-state-backed threat actors from Iran, China, North Korea, and Russia and numerous other criminal and financially motivated groups are all using Ukraine-war-related themes in phishing campaigns, online extortion attempts, and other malicious activities.
Many of the attacks have targeted organizations in Ukraine. But others have affected US nongovernmental organizations (NGOs) and government and military entities in multiple other countries as well. Among them is a campaign by a “Curious Gorge,” a threat group that is believed to have ties with the strategic support force of China’s People’s Liberation Army. According to Google, over the last two weeks it has observed the threat actor conducting malicious cybercampaigns against military and government organizations in Russia, Ukraine, Mongolia, and Kazakhstan.
Another example is “Coldriver,” aka Calisto, a Russian-based threat group that Google said had recently launched a credential phishing campaign targeting multiple US-based think tanks, NGOs, a Ukraine-based defense contractor, and the military of a Balkans nation,
Google TAG’s latest update is the second this month on Ukraine-related cyber-threat activity. On March 7, TAG issued an alert on new cyber-espionage and phishing campaigns that it had observed from groups such as Russia’s APT28/FancyBear, Belarus’ UNC1151/Ghostwriter, and China’s Mustang Panda.
“The Russia-Ukraine conflict creates a backdrop of uncertainty, misinformation, and generally problematic Internet activity,” providing ample cover for malicious activities, Ellis says. “This, in turn, emboldens a variety of potential threat actors, ranging from nation-states to curious individuals.”