Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) is targeting employees of the Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
The malicious code was designed to exfiltrate files and deploy additional payloads, threat actors are using phishing documents containing lures related to the Russian invasion of Ukraine.
The threat actors relied on LNK files, PowerShell and VBScript to achieve initial access to the target systems, then deployed malicious payloads in the post-infection phase.
“Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.” reads the analysis published by Talos. “The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.”
The nation-state actors are using weaponized Microsoft Office documents containing remote templates with malicious VBScript macros. The macros download and open RAR archives containing LNK files that download and activate the next-stage malware.
The Talos’s attribution of the attacks to Gamaredon is based on a significant overlap between the tactics, techniques and procedures (TTPs) used in this campaign and those used in previous attacks against Ukraine Computer Emergency Response Team (CERT-UA) and attributed to Gamaredon.
The experts observed threat actors using a PowerShell script used to deploy an information stealer used to exfiltrate files of specific extensions including .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. Experts pointed out that this infostealer was not involved in previous campaigns attributed to Gamaredon. The researchers speculate it may be a component of Gamaredon’s “Giddome” backdoor family, but at the time of this report, they have no evidence.
“Once started, the malware scans all attached storage devices looking for files with the aforementioned extensions. For each one, the malware makes a POST request with metadata about the exfiltrated file and its content.” concludes the analysis that also includes Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, Gamaredon)