Cyber ​​defenders of Ukraine fight with the Gamaredon group, which steals Ukraine’s data in 30 minutes

Rapid Response Team for Computer Incidents of Ukraine (Computer Emergency Response Team of Ukraine, CERT-UA) warns about the actions of the Gamaredon hacker group, capable of stealing data from systems within an hour after penetration.

Gamaredon (also known as Armageddon, UAC-0010, Shuckworm, Actinium, Iron Tilden, Primitive Bear, Trident Ursa) repeatedly carried out targeted cyberattacks on public authorities and critical IT infrastructure in Ukraine.

Gamaredon attacks usually begin with a message in Telegram, whatsapp and signal. The hackers trick the victim into opening malicious attachments masquerading as Microsoft Word or Excel documents. Running attachments causes malicious PowerShell scripts and GammaSteel malware to download and execute on the victim’s device.

The hackers also modify Microsoft Word templates on infected computers so that all documents created on them contain a malicious macro that can spread Gamaredon malware to other systems. Additionally, the PowerShell script captures session data from browser cookies, which allows hackers to control victim accounts protected by two-factor authentication (2FA).

With regard to the “GammaSteel” functionality, CERT-UA indicates that the malware targets files with certain extensions (.doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, . pdf, .ps1, .rar, .zip, .7z, .mdb). The attacker exports documents of interest within 30-50 minutes.

Another feature of Gamaredon attacks is that a compromised computer can be infected within a week. And in that week, hackers can place up to 120 malicious files on a compromised system, increasing the chance of re-infection. In other words, if at least one infected file or document remains after the system cleaning process, it will infect other files again.

In addition, Gamaredon automatically infects all connected USB devices, spreading to isolated networks. Also, cybercriminals regularly, from 3 to 6 times a day, change the IP addresses of intermediate C2servers, making it difficult to block activity or track hackers.

CERT-UA reports that the most effective way to limit the impact of Gamaredon attacks is to block or limit the unauthorized execution of programs “mshta.exe”, “wscript.exe”, “cscript.exe” and “powershell.exe”.

Agency notes that Gamaredon’s attacks are more about espionage and information theft than sabotage. The center also highlighted the “persistent” evolution of the tactics of hackers who update their malware suite to stay out of the picture, calling Gamaredon “a key cyber threat.”

Earlier, Palo Alto Networks researchers reported that in August 2022, the Gamaredon group made an unsuccessful attack to a major oil refinery in a NATO member country.