Ghostwriter / UNC1151 Adopts Microbackdoor Variants in Cyber Operations Against Ukraine

By Cluster25 Threat Intel Team

March 8, 2022

For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with the threat actor known as UNC1151 (aka GhostWriter), an adversary believed to be linked to the Belarusian government. In July 2020 Mandiant Threat Intelligence released a public report about an ongoing influence campaign named “GhostWriter“. The campaign was addressed to audiences in Lithuania, Latvia and Poland making use of critical messages against the NATO’s presence in Eastern Europe.

In addition to this type of operations, UNC1151 seems to be further active also in the compromise of objectives of strategic importance. On March 4, 2022, Cluster25 collected a malicious document designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.


The document is a Microsoft Compressed HTML Help (CHM) file named dovidka.chm. After extracting the file, it shows the following structure:

dividka.chm contains a file named file.htm that in its turn contains obfuscated vbscript (VBS) code as reported following:


The script checks for the presence of the file


then it writes a second VBS script under the path


After that, it runs the latter script, deletes it and finally runs the command

wscript.exe //B //E:vbs C:UsersPublicFavoritesdesktop.ini

The script ignit.vbs decodes and writes the following files:

  • C:UsersPublicLibrariescore.dll
  • C:UsersPublicFavoritesdesktop.ini
  • C:ProgramDataMicrosoftWindows Start MenuProgramsStartupWindows Prefetch.lnk

The desktop.ini file runs the following command, which executes the file core.dll with the Microsoft Assembly Registration Tool (Regasm.exe):

C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe  /U “C:UsersPublicLibrariescore.dll”


The file core.dll is a DLL file in .NET code compiled on Monday January 31st 2022 at 15:00:46 UTC. Code obfuscation and anti-tampering techniques have been used to hinder the analysis. The kind of anti-tampering techniques  used shows similarities with the use of the open-source code-protector tool for .NET named ConfuserEx. This is because several methods appear as empty and decompilation exceptions are present when the file is open in tools such as dnSpy, as reported in the image below:

We thought to make the code a little more readable by setting a breakpoint after the anti-tamper method (first method in the constructor) and by replacing the method with NOPs to finally save and reopen the module in dnSpy. This is necessary since the method is responsible for changing the RVA values of the methods. After this is executed, the values are correct, so it is possible to dump the new version of the DLL, but it is also necessary to avoid the anti-tamper method to be called in the next execution, otherwise it would change the values again.

This code is basically a payload aimed at unpacking and executing a payload


The piece of code in the new thread it’s basically meant to perform a connection to the domain xbeta[.]online attested on IP address 185.175.158[.]27. 

If the connection is successful it receives and decrypts commands and performs the appropriate actions. The identified commands that can be executed are
  • id
  • info
  • ping
  • exit
  • upd
  • uninst
  • exec
  • shell
  • flist
  • fget
  • fput
  • screenshot

The implant is able to perform any classic operation in support of activities aimed at espionage, such as collecting data relating to the machine in which it is operating, downloading and transferring files, executing arbitrary commands, capturing screenshots etc. etc.


The relations between Russia and Belarus date back in 1991 with the signing of the Belovezh Accords on the ending of the USSR and the establishment of the Commonwealth of Independent States (CIS). In the actual conflict going on in Ukraine more than once Minsk showed its support to Moscow even if publicly Lukashenko said that he’ll avoid the participation of Belarusian soldiers. In case of an escalation it’s likely that Belarus will assist Russia militarily. On the basis of the above, however, it seems that the Belarusian government is already openly participating in offensive operations in the cyber domain by protecting Russian interest.


PAYLOAD MD5 2556a9e1d5e9874171f51620e5c5e09a
PAYLOAD SHA1 affc2b19d9fb8080a7211c3ed0718f2c3d3887df
PAYLOAD SHA256 7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56
PAYLOAD MD5 d2a795af12e937eb8a89d470a96f15a5
PAYLOAD SHA1 491214cc496f4a358856801d0381eb4926c07c59
PAYLOAD SHA256 e97f1d6ec1aa3f7c7973d57074d1d623833f0e9b1c1e53f81af92c057a1fdd72
PAYLOAD MD5 e2e6bb2fa799b8a9ace6125f80cc06d2
PAYLOAD SHA1 5f7b3f789916b8ddcf8042f83817719bae133474
PAYLOAD SHA256 559d8e8f2c60478d1c057b46ec6be912fae7df38e89553804cc566cac46e8e91
NETWORK C2 xbeta[.]online
NETWORK C2 185.175.158[.]27


Initial Access T1566.001 Spearphishing Attachment
Execution T1059 Command and Scripting Interpreter
Defense Evasion T1036 Masquerading
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1027 Obfuscated Files or Information
Discovery T1082 System Information Discovery


rule GhostWriter_MicroLoader_72632_00001 { meta: author = “Cluster25” hash1 = “e97f1d6ec1aa3f7c7973d57074d1d623833f0e9b1c1e53f81af92c057a1fdd72” tlp = “white” strings: $ = “ajf09aj2.dll” fullword wide $ = “regsvcser” fullword ascii $ = “X l.dlT” fullword ascii $ = “rtGso9w|4” fullword ascii $ = “ajlj}m${<” fullword ascii condition: (uint16(0) == 0x5a4d and all of them) }
rule GhostWriter_MicroBackdoor_72632_00001 { meta: author = “Cluster25” hash1 = “559d8e8f2c60478d1c057b46ec6be912fae7df38e89553804cc566cac46e8e91” tlp = “white” strings: $ = “cmd.exe /C ”%s%s”” fullword wide $ = “client.dll” fullword ascii $ = “ERROR: Unknown command” fullword ascii $ = ” *** ERROR: Timeout occured” fullword ascii $ = “%sSoftwareMicrosoftWindowsCurrentVersionInternet Settings” fullword ascii $ = “MIIDazCCAlOgAwIBAgIUWOftflCclQXpmWMnL1ewj2F5Y1AwDQYJKoZIhvcNAQEL” fullword ascii condition: (uint16(0) == 0x5a4d and all of them) }

Like it? Share it:

Scroll to Top