THE Belarus-based APT group Ghostwriter has initiated a new phishing campaign targeting Ukrainian government agencies. The campaign uses the Prometheus online learning platform as bait, making it effective due to its familiarity among users. Emails sent from compromised accounts contain PDFs that link to a ZIP file downloading a JavaScript payload named OYSTERFRESH. This file simultaneously displays a decoy document while planting an obfuscated malware (OYSTERBLUES) in the system registry.
OYSTERBLUES captures system information and communicates with a command-and-control server, eventually utilizing Cobalt Strike for persistent access. CERT-UA highlights mitigation strategies, such as restricting wscript.exe execution to hinder the JavaScript attacks.