Tracking Adversaries: Ghostwriter Apt Infrastructure
Thumbnail
Infrastructure pivoting is a crucial technique for cyber threat intelligence analysts, enabling them to uncover additional targets and tools used by adversaries. This skill enhances incident response efforts and can lead to the attribution of intrusions to known threat actors. The article discusses the Ghostwriter campaign targeting the Ukrainian military and highlights the importance of analyzing threat data from various cybersecurity organizations. Affected: Ukrainian military, Belarusian state-sponsored APT group, Cybersecurity organizations

Keypoints :

  • Infrastructure pivoting helps identify additional targets and insights about adversaries.
  • Threat data from organizations like CERT-UA, Deep Instinct, Cyble, and Fortinet is essential for pivoting.
  • The Ghostwriter campaign involved malicious XLS macro documents targeting the Ukrainian military.
  • Indicators of compromise (IOCs) can reveal overlapping infrastructure used by adversaries.
  • Continuous collection of IOCs into a Threat Intelligence Platform (TIP) aids in identifying connections between reports.
  • Adversaries often reuse registrars, name servers, and gTLDs, indicating shared infrastructure.
  • Domain attribute queries can uncover additional unreported domains linked to known adversaries.
  • Related malware samples can be found by analyzing domains in VirusTotal.
  • CTI analysts can learn about adversaries’ capabilities and behaviors by examining IOC attributes.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The Ghostwriter campaign utilized Cobalt Strike Beacons for command and control.
  • T1071.002 – Application Layer Protocol: Malicious XLS documents downloaded DLL files from adversary-created domains.
  • T1583.001 – Acquire Infrastructure: Identification of shared domains and infrastructure used by the Ghostwriter APT group.
  • T1590.001 – Gather Victim Information: Targeting the Ukrainian military through tailored phishing campaigns.

Indicator of Compromise :

  • [domain] goudieelectric[.]shop
  • [domain] backstagemerch[.]shop
  • [domain] bryndonovan[.]shop
  • [domain] chaptercheats[.]shop
  • [domain] clairedeco[.]shop
  • Check the article for all found IoCs.

Full Research: https://blog.bushidotoken.net/2025/01/tracking-adversaries-ghostwriter-apt.html