Ghostwriter is one of 3 campaigns using war-themed attacks, with cyber-fire coming in from government-backed actors in China, Iran, North Korea & Russia.
Ghostwriter – a threat actor previously linked with the Belarusian Ministry of Defense – has glommed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.
In a Wednesday post, Google’s Threat Analysis Group (TAG) said that they’d already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month. The fresh attention was triggered by a penetration tester and security researcher – who goes by the handle mr.d0x – who posted a description of BitB.
Ghostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.
BitB
The newly disclosed credential-phishing method of BitB takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.
These days, SSO popups are a routine way to authenticate when you
