A Russian government-backed cyber espionage group known as Gamaledon has continued its digital attacks against Ukraine, with the most recent attack using the popular messaging app Telegram to attack domestic military and law enforcement agencies. doing.
“Gamaredon Group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and geolocation verification, ultimately transferring victims to the next stage server for the final payload. We will guide you,” said the BlackBerry Research and Intelligence Team. Said In a report shared with The Hacker News. “The technique of infecting this kind of target system is new.”
GamaredonAlso known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflunderer.
Last month, Palo Alto Networks Unit 42 revealed that attackers had unsuccessfully tried to break into an unnamed oil refinery in a NATO member state during the war between Russia and Ukraine.
The attack chain launched by the threat actor uses legitimate Microsoft Office documents originating from Ukrainian government entities as lures in spear-phishing emails to deliver malware capable of gathering sensitive information.
When these documents are opened, malicious templates are loaded from a remote source (a technique known as remote template injection), effectively bypassing the need to enable macros to infiltrate and spread the infection on the target system. increase.
The latest findings from BlackBerry show the evolution of the group’s tactics of using hardcoded Telegram channels to obtain the IP addresses of servers hosting malware. IP addresses are regularly rotated and fly under the radar.
For that reason, remote templates are designed to fetch VBA scripts. The VBA script drops a VBScript file that connects to the IP address specified in the Telegram channel and fetches the next stage, the PowerShell script. Another IP address for fetching PHP files.
This PHP file connects to another Telegram channel to obtain a third IP address containing the final payload, an information-stealing malware previously revealed by Cisco Talos in September 2022. is tasked with
Also note that the highly obfuscated VBA script will only be delivered if the target’s IP address is located in Ukraine.
“Threat groups dynamically change IP addresses, making it even more difficult to automate analysis using sandboxing techniques when samples expire,” BlackBerry noted.
“The fact that the suspicious IP addresses only change during working hours in Eastern Europe suggests that the attackers are operating from a single location and belong to an offensive cyber unit conducting malicious operations against Ukraine. It strongly suggests that there is a high possibility that
The development is carried out as the Ukrainian Computer Emergency Response Team (CERT-UA). Attribution a devastating malware attack It targeted the Ukrainian state news agency and attacked the Sandworm hacking group with ties to Russia.