Friday, March 29, 2024
HomeSECURITYNew variants of Gamaredon malware target Ukraine's critical infrastructure

New variants of Gamaredon malware target Ukraine’s critical infrastructure

-


New variants of Gamaredon malware target Ukraine’s critical infrastructure

The Gamaredon group has extensive experience in attacks on Ukraine’s IT systems and is constantly updating its tools.

The State Cyber ​​Defense Center of Ukraine (SCDC) has discovered that the Gamaredon group is conducting targeted cyberattacks on public authorities and critical IT infrastructure in the country.

The APT group, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has repeatedly struck on Ukrainian facilities as early as 2022.

According to message GCDC, UAC-0010 group activity is characterized by multi-stage payloads of spyware used to maintain control over infected hosts. By information CERT-UA, the group currently uses GammaLoad and GammaSteel spyware in their campaigns:

  • GammaLoadis a VBScript dropper malware designed to deliver the next stage VBScript payload from a remote server;
  • GammaSteelis a scenario PowerShellcapable of conducting reconnaissance and executing additional commands.

The agency notes that Gamaredon’s attacks are more focused on espionage and information theft than sabotage. The center also highlighted the “persistent” evolution of the tactics of hackers who update their malware suite to stay out of the limelight, calling Gamaredon “a key cyber threat.”

The attack chains begin with spear-phishing emails containing a RAR archive that, when opened, activates a long sequence of 5 intermediate steps that eventually culminate in the delivery of a PowerShell payload.

  1. LNK file (1 pc.);
  2. HTA file (1 pc.);
  3. VBScript file (3 pcs.).

In addition, one of the tactics of cybercriminals is to infect the template file “C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Templates\Normal.dotm” with a macro that generates a URL and adds it to the generated document in the form links (attack remote template injection). This will lead to the infection of all new documents created on the computer and their further distribution of malware.

Information related to the IP addresses of the command and control servers (C2) is located in Telegram channels which change periodically. All analyzed VBScript droppers and PowerShell scripts are variants of the GammaLoad and GammaSteel malware, respectively, which allows an attacker to extract sensitive information.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular