A Russia-linked cyber-espionage group known as Gamaredon is abusing the infrastructure of the popular messaging service Telegram to fly under radar and deliver malicious payloads to its victims.

Active since 2013, Gamaredon primarily targets organizations in Ukraine. Previously, Ukrainian authorities linked the group, which Ukraine’s CERT tracks as Armageddon, to the Sevastopol office of the Russian FSB intelligence agency.

According to Blackberry researchers, lately the group has been using a novel approach in its cyber offensive operations that involves a multi-stage Telegram scheme to first profile potential victims, and then deliver the final payload along with the malicious command-and-control (C2).

“The Gamaredon Group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload. This kind of technique to infect target systems is new,” the researchers noted.

The attack starts with spear-phishing emails containing weaponized Microsoft Word documents written in both the Russian and Ukrainian languages. The malicious lures mimic documents originating from real Ukrainian government organizations, and are carefully designed to trick those who may have a real reason to interact with those organizations.

In the latest campaign the threat actor was observed exploiting the remote template injection vulnerability (CVE-2017-0199) to bypass Microsoft Word macro protections and gain initial access to victim systems.

“Once the malicious document is opened, it fetches the specified address and downloads the next stage of the attack chain. The server's configuration deploys the next stage payload only to targets with a Ukrainian IP address. If it matches the IP's validation and confirms the target is indeed located in Ukraine, it then drops a heavily obfuscated VBA script,” Blackberry explains.

This script connects to a hardcoded Telegram account to receive instructions leading to a new malicious IP address, which is used to construct the URL for the next stage download - a PowerShell script that, in turn, reaches out to a different IP address to obtain a PHP file. This file contacts another Telegram channel to retrieve a third IP address that contains the final payload, which is an information-stealing malware detailed by Cisco Talos last year.

“The threat group change IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out. The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine,” the researchers said.