Russian 'Gamaredon' hackers use eight new payloads against Ukraine
The group is thought to be operated directly by the Russian Federal Security Service
Researchers at Symantec have found evidence suggesting the Russia-linked hacking group 'Gamaredon' is still launching cyber-espionage attacks against a number of organisations in Ukraine.
In a blog post detailing Gamaredon's tactics, Symantec's Threat Hunter Team said the group's attacks have grown more sophisticated in recent months. The attackers are now using living-off-the-land tools to steal confidential data from victim networks.
Gamaredon - also known as Shuckworm, Primitive Bear and Armageddon - is a notorious advanced persistent threat group that has been active since 2013. It has targeted many Ukrainian organisations in recent years, and both security experts and Ukrainian security services believe it is operated directly by the Russian Federal Security Service. Gamaredon is allegedly responsible for launching espionage and intelligence-gathering attacks on Ukrainian military forces.
In March 2020, Gamaredon was observed taking advantage of the COVID-19 pandemic to trick targets.
The group is known to use phishing emails to deploy remote access tools on victims' machines, aiming to exfiltrate data.
Symantec researchers described one specific incident that began on 14th July 2021 and continued until 18th August. The attack began with a spear-phishing email that carried macro-laced Word documents. When opened, the file launched a VBS file that installed 'Pteranodon' - a backdoor that Gamaredon has been using and improving for the last seven years.
Although they were still using the tried-and-tested phishing email for delivery, researchers observed as many as eight different payloads: each a variant of the backdoor that behaves in a different way, in an effort to more firmly establish persistence and support the delivery of further malware.
After installing Pteranodon on the target system, the hackers installed a 'dropper' that downloaded a virtual network computing (VNC) file, which looked to be the final payload. Gamaredon could use this to explore the compromised system in detail and potentially exfiltrate sensitive information.
Another indicator of compromise is a majority of URL and C2 server IPs belong to a small group of hosting companies, including AS9123 TimeWeb Ltd., which is based in Russia.
Symantec noted that most malicious files were found in the following directories:
- CSIDL_PROFILE\
- csidl_profile\links
- csidl_profile\searches
- CSIDL_PROFILE\appdata\local\temp\
Symantec's report comes at the same time as Russia has amassed around 100,000 troops at Ukraine's eastern border while it reportedly considers invasion.
Earlier this month, multiple Ukrainian government websites were the target of a sustained hacking campaign, with the attackers leaving menacing messages apparently aimed at intimidating Ukrainian citizens. The attackers targeted websites belonging to the Ministry of Foreign Affairs, the Cabinet of Ministers, the ministries of energy, education, and agricultural policy, and the 'Diia' platform.
Canada's foreign ministry was also hit with a cyber attack this month, affecting 'some access to internet and internet-based services'. The attack came a day before Canada's Cyber Centre advised Canadian organisations, especially network operators of critical infrastructure, to bolster their defences against Russian state-sponsored threats.