A new cyber-espionage group, GamaCopy (aka Core Werewolf), has been using military-themed bait to launch attacks on Russian organizations, emulating the tactics of the notorious Russian hacking group Gamaredon. The campaign, which has been ongoing since June 2023, has targeted critical sectors in Russia, including defense and infrastructure, with the goal of stealing sensitive information.
GamaCopy has gained attention for its use of a “false flag” strategy, attempting to mislead cybersecurity teams by imitating the methods of Gamaredon, a Russian cyber-espionage group linked to the Federal Security Service (FSB).
Gamaredon has been known for targeting Ukrainian government agencies, non-governmental organizations, and the military since 2013. By tracing the origins of attack samples, security researchers have identified the connection between GamaCopy and Core Werewolf, which has launched several attacks against Russian entities.
The latest report on the group's activities comes from the Chinese cybersecurity firm Knownsec 404, which analyzed attack samples targeting Russian-speaking individuals. The firm found that these samples followed an identical attack methodology used by Gamaredon, leveraging military-related themes as bait.
The spear-phishing campaigns employed by GamaCopy utilize military-related lures to entice individuals in Russia's defense sector to download malicious files. The attacks involve a malicious 7z self-extracting (SFX) archive file, which, once executed, releases additional payloads designed to compromise the target's system. After infecting the victim's machine, the attackers use the open-source tool UltraVNC to maintain persistence and control over the compromised system.
However, the researchers note that GamaCopy differs slightly from Gamaredon in its technical aspect. While Gamaredon often uses VBS scripts to install UltraVNC and other payloads, GamaCopy's operations employ a different method, relying on a more streamlined attack chain and using port 443 rather than the commonly used port 5612.
The GamaCopy campaign appears to have been active since at least August 2021, although its more notable attacks began in mid-2023.