Ukraine’s State Cyber Protection Center (SCPC) has called a Russian state-backed threat actor known as: Gamaredon Against targeted cyberattacks against national public institutions and critical information infrastructure.
Advanced Persistent Threats, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010 include: achievement Strike entities in Ukraine dating back to 2013.
The SCPC states, “The UAC-0010 group’s ongoing activity is characterized by a multi-stage download approach and the execution of spyware payloads used to maintain control of infected hosts.” increase. Said“For now, the UAC-0010 group Gamma Lord and Gamma Steel Spyware in their campaign. ”
GammaLoad is a VBScript dropper malware designed to download next-stage VBScript from remote servers. GammaSteel is a PowerShell script that can do reconnaissance and execute additional commands.
The agency notes that the attacks are aimed at espionage and information theft, not sabotage. The SCPC also called Gamaredon a “major cyberthreat” and emphasized the “continuous” evolution of the group’s tactics by redeveloping its malware toolset to stay under the radar.
The attack chain begins with a spear-phishing email containing a RAR archive. When the RAR archive is opened, it activates a long sequence consisting of 5 intermediate stages (LNK file, HTA file, 3 of his VBScript files), culminating in the delivery of the PowerShell payload.
Information about command and control (C2) server IP addresses has been posted on a regularly rotating Telegram channel, corroborating reports from BlackBerry late last month.
According to SCPC, all analyzed VBScript droppers and PowerShell scripts are variants of the GammaLoad and GammaSteel malware, respectively, allowing adversaries to effectively exfiltrate sensitive information.
This disclosure is made as the Computer Emergency Response Team of Ukraine (CERT-UA). disclosed Details of a new malicious campaign targeting Ukrainian and Polish national authorities.
The attack takes the form of look-alike web pages impersonating the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) to trick visitors into downloading software that claims to detect infected computers. will do.
However, launching this file (a Windows batch script named “Protector.bat”) runs a PowerShell script that captures screenshots from your workstation and can collect files with 19 different extensions. increase.
CERT-UA attributes this operation to a threat actor referred to as UAC-0114. bevern in winter – activity cluster In the past, they have leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants to compromised hosts.
According to cybersecurity firm Trellix: Observed In the third week of November 2022, there was a 20-fold surge in email-based cyberattacks against the public and private sectors of Ukraine, with the majority of messages attributed to Gamaredon.
Other malware families widely distributed through these campaigns consisted of Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which Turla hacking crews repurposed to deploy their own malware.
“Cyberattacks against Ukraine’s energy, government and transport, infrastructure, and financial sectors continue consistently as the Ukrainian-Russian war continues,” Trellix said. “In times of panic and anxiety like this, attackers aim to exploit the distractions and stress of victims to successfully exploit them.”