Russia-linked Gamaredon group targets Ukraine officials

Russia-linked Gamaredon cyberespionage group has been targeting Ukrainian targets, including diplomats, government and military officials.

Russia linked APT group tracked as Gamaredon has been targeting several Ukrainian diplomats, government and military officials, and law enforcement.

The Gamaredon attacks against Ukraine don’t seem to have stopped. In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group.

The hacking campaign confirmed that the Gamaredon operations are still ongoing and the high interest of the Kremlin in infiltrating the East European ecosystem, especially the Ukranian one. The experts at Cybaze confirmed that the infection patterns were similar to the other attacks spotted in early 2019, including the Matryoshka structure and the use of chained SFX archives.

The Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. This summer, CERT-UA reported several attacks attributed to the Gamaredon APT that were aimed at the Ukrainian military and law enforcement.

Back to the present, the threat intelligence firm Anomali reported a new wave of attacks that started in Mid-October 2019 and that targeted individuals and entities in Ukraine, including diplomats, government officials and employees, journalists, law enforcement, military officials and personnel, NGOs, and the Ministry of Foreign Affairs.

State-sponsored hackers launched spear-phishing attackes using weaponized documents.

The bait documents reveal malicious activity from at least September 2019, to November 25, 2019.

“This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019.” reads the report published by Anomaly. “The primary objective of this campaign, was identified in mid-November 2019, appears to be targeting Ukrainian governmental entities. Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector.”

The experts analyzed three different lure documents respectively aimed at the Dnipro Control System and discussing requirements instituted by the Chief of the General Staff regarding organization work to clarify the improvement of visual agitation in areas of subordinate, another produced by the NGO media watchdog Detector Media, and a third targeting the Ministry of Foreign Affairs of Ukraine.

The attackers use the Template Injection technique instead of documents embedding malicious VBA macros. The lure documents once opened will automatically download a Document Template (.dot) from a remote location that is executed in background.

The document template (dot) contains VBA macros that are executed in the background, while the VBA macro writes a VBScript file to the startup folder.

When the machine reboots the VBScript file will be executed after sleeping for 181340 milliseconds.

Upon reboot, the VBScript performs an HTTP GET request to fetch an encrypted stage from a dynamic DNS domain. The payload, however, is only sent if the target is deemed of interest.

“A file will only be sent if the actor determines that the now-infected target is worthy of a second-stage payload, otherwise the file deletion continues on its loop to remove evidence of the actor’s activity.” continues the analysis.

The experts from Anomaly believe that the threat actor’s TTPs are aligned with the ones associated with the Russian hacking group Gamaredon.

“Russian-sponsored cyber capabilities have been welldocumented over numerous malicious campaigns found and attributed by the security community, and this activity observed by ATR indicates the risk posed to entities by APT threat groups.” concludes Anomaly. “Governments around the globe utilize campaigns for strategic purposes, and in Russia’s case, sometimes to coincide with armed forces activity.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]