APT

Russia-linked Gamaredon group targets Ukraine officials

Russia-linked Gamaredon cyberespionage group has been targeting Ukrainian targets, including diplomats, government and military officials.

Russia linked APT group tracked as Gamaredon has been targeting several Ukrainian diplomats, government and military officials, and law enforcement.

The Gamaredon attacks against Ukraine don’t seem to have stopped. In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group.

The hacking campaign confirmed that the Gamaredon operations are still ongoing and the high interest of the Kremlin in infiltrating the East European ecosystem, especially the Ukranian one. The experts at Cybaze confirmed that the infection patterns were similar to the other attacks spotted in early 2019, including the Matryoshka structure and the use of chained SFX archives.

The Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. This summer, CERT-UA reported several attacks attributed to the Gamaredon APT that were aimed at the Ukrainian military and law enforcement.

Back to the present, the threat intelligence firm Anomali reported a new wave of attacks that started in Mid-October 2019 and that targeted individuals and entities in Ukraine, including diplomats, government officials and employees, journalists, law enforcement, military officials and personnel, NGOs, and the Ministry of Foreign Affairs.

State-sponsored hackers launched spear-phishing attackes using weaponized documents.

The bait documents reveal malicious activity from at least September 2019, to November 25, 2019.

“This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019.” reads the report published by Anomaly. “The primary objective of this campaign, was identified in mid-November 2019, appears to be targeting Ukrainian governmental entities. Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector.”

The experts analyzed three different lure documents respectively aimed at the Dnipro Control System and discussing requirements instituted by the Chief of the General Staff regarding organization work to clarify the improvement of visual agitation in areas of subordinate, another produced by the NGO media watchdog Detector Media, and a third targeting the Ministry of Foreign Affairs of Ukraine.

The attackers use the Template Injection technique instead of documents embedding malicious VBA macros. The lure documents once opened will automatically download a Document Template (.dot) from a remote location that is executed in background.

The document template (dot) contains VBA macros that are executed in the background, while the VBA macro writes a VBScript file to the startup folder.

When the machine reboots the VBScript file will be executed after sleeping for 181340 milliseconds.

Upon reboot, the VBScript performs an HTTP GET request to fetch an encrypted stage from a dynamic DNS domain. The payload, however, is only sent if the target is deemed of interest.

“A file will only be sent if the actor determines that the now-infected target is worthy of a second-stage payload, otherwise the file deletion continues on its loop to remove evidence of the actor’s activity.” continues the analysis.

The experts from Anomaly believe that the threat actor’s TTPs are aligned with the ones associated with the Russian hacking group Gamaredon.

“Russian-sponsored cyber capabilities have been welldocumented over numerous malicious campaigns found and attributed by the security community, and this activity observed by ATR indicates the risk posed to entities by APT threat groups.” concludes Anomaly. “Governments around the globe utilize campaigns for strategic purposes, and in Russia’s case, sometimes to coincide with armed forces activity.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…

3 hours ago

Mirai botnets exploit Wazuh RCE, Akamai warned

Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…

6 hours ago

China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns

China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…

9 hours ago

DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes,…

22 hours ago

OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops

OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware,…

1 day ago

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a…

1 day ago