APT

Russia-linked Gamaredon group targets Ukraine officials

Russia-linked Gamaredon cyberespionage group has been targeting Ukrainian targets, including diplomats, government and military officials.

Russia linked APT group tracked as Gamaredon has been targeting several Ukrainian diplomats, government and military officials, and law enforcement.

The Gamaredon attacks against Ukraine don’t seem to have stopped. In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group.

The hacking campaign confirmed that the Gamaredon operations are still ongoing and the high interest of the Kremlin in infiltrating the East European ecosystem, especially the Ukranian one. The experts at Cybaze confirmed that the infection patterns were similar to the other attacks spotted in early 2019, including the Matryoshka structure and the use of chained SFX archives.

The Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. This summer, CERT-UA reported several attacks attributed to the Gamaredon APT that were aimed at the Ukrainian military and law enforcement.

Back to the present, the threat intelligence firm Anomali reported a new wave of attacks that started in Mid-October 2019 and that targeted individuals and entities in Ukraine, including diplomats, government officials and employees, journalists, law enforcement, military officials and personnel, NGOs, and the Ministry of Foreign Affairs.

State-sponsored hackers launched spear-phishing attackes using weaponized documents.

The bait documents reveal malicious activity from at least September 2019, to November 25, 2019.

“This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019.” reads the report published by Anomaly. “The primary objective of this campaign, was identified in mid-November 2019, appears to be targeting Ukrainian governmental entities. Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector.”

The experts analyzed three different lure documents respectively aimed at the Dnipro Control System and discussing requirements instituted by the Chief of the General Staff regarding organization work to clarify the improvement of visual agitation in areas of subordinate, another produced by the NGO media watchdog Detector Media, and a third targeting the Ministry of Foreign Affairs of Ukraine.

The attackers use the Template Injection technique instead of documents embedding malicious VBA macros. The lure documents once opened will automatically download a Document Template (.dot) from a remote location that is executed in background.

The document template (dot) contains VBA macros that are executed in the background, while the VBA macro writes a VBScript file to the startup folder.

When the machine reboots the VBScript file will be executed after sleeping for 181340 milliseconds.

Upon reboot, the VBScript performs an HTTP GET request to fetch an encrypted stage from a dynamic DNS domain. The payload, however, is only sent if the target is deemed of interest.

“A file will only be sent if the actor determines that the now-infected target is worthy of a second-stage payload, otherwise the file deletion continues on its loop to remove evidence of the actor’s activity.” continues the analysis.

The experts from Anomaly believe that the threat actor’s TTPs are aligned with the ones associated with the Russian hacking group Gamaredon.

“Russian-sponsored cyber capabilities have been welldocumented over numerous malicious campaigns found and attributed by the security community, and this activity observed by ATR indicates the risk posed to entities by APT threat groups.” concludes Anomaly. “Governments around the globe utilize campaigns for strategic purposes, and in Russia’s case, sometimes to coincide with armed forces activity.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.