Join today’s top leaders online at the Data Summit on March 9. Register here.
Russia-linked threat actor Gamaredon, which allegedly launched a cyberattack on a Western government organization in Ukraine last month, is a highly agile operation with a heavy emphasis on using tactics to evade detection, according to Microsoft security researchers.
Gamaredon’s main purpose appears to be cyber espionage, Microsoft Threat Intelligence Center (MSTIC) researchers said in a blog post today.
While Gamaredon has primarily targeted Ukrainian officials and organizations in the past, the group attempted a Jan. 19 attack aimed at compromising a Western government “entity” in Ukraine, researchers from the Unit 42 organization in Ukraine reported Thursday. Palo Alto Networks. Gamaredon’s leadership includes five officers from Russia’s Federal Security Service, Ukraine’s Security Service previously said.
Microsoft threat researchers today published their own findings on Gamaredon in the blog post, revealing that the group has been actively involved in malicious cyber activities in Ukraine since October 2021.
While the hacker group was dubbed “Gamaredon” by Unit 42, Microsoft refers to the group as “Actinium”.
“Over the past six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning the government, military, non-governmental organizations (NGOs), judiciary, law enforcement, and non-profit organizations. , with the primary intent of exfiltrating sensitive information, maintaining access, and using gained access to move laterally into related organizations,” the threat researchers said in the post. “MSTIC has observed ACTINIUM operating from Crimea with objectives consistent with cyber espionage.”
Frequently used tactics by the group include spear-phishing emails with malicious macro attachments, resulting in the deployment of remote models, the researchers said. By having a document load a remote document template with malicious code – the macros – it “ensures that malicious content is only loaded when necessary (e.g. when the user opens the document) “, said Microsoft.
“This helps attackers evade static detections, for example, by systems that scan attachments for malicious content,” the researchers said. “Remotely hosting the malicious macro also allows an attacker to control when and how the malicious component is delivered, thereby avoiding detection by preventing automated systems from obtaining and analyzing the malicious component.”
Microsoft researchers report that they have observed many email phishing lures used by Gamaredon, including those that impersonate legitimate organizations, “using benign attachments to establish trust and familiarity with target”.
In terms of malware, Gamaredon uses a variety of different strains, the most “feature-rich” of which is Pterodo, according to Microsoft. The Pterodo malware family brings an “ability to evade detection and thwart analysis” through the use of a “dynamic Windows function hashing algorithm to map the necessary API components, and a ‘on-demand’ to decrypt necessary data and free up allocated heap space when used,” the researchers said.
Meanwhile, the PowerPunch malware used by the group is “an agile and scalable sequence of malicious code”, Microsoft said. Other malware families employed by Gamaredon include ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown.
“A very agile threat”
Gamaredon “rapidly develops new obfuscated and lightweight capabilities to later deploy more advanced malware,” Microsoft researchers said. “These are fast-moving targets with a high degree of variance.”
The payloads analyzed by the researchers show a major focus on obfuscated Visual Basic Script (VBScript), a Microsoft scripting language. “As an attack, this is not a new approach, but it continues to prove itself as antivirus solutions must constantly adapt to keep pace with a very agile threat,” the researchers said.
Unit 42 reported on Thursday that Gamaredon’s attempted attack on a Western government organization in January involved a targeted phishing attempt.
Instead of emailing the malware downloader to their target, Gamaredon “leveraged a job search and employment service in Ukraine,” the Unit 42 researchers said. In doing so, the actors searched for an active job offer, uploaded their uploader as a resume, and submitted it through the job search platform to a western government entity.”
Due to the “steps and precision delivery involved in this campaign, it appears to be a specific and deliberate attempt by Gamaredon to compromise this Western government organization,” Unit 42 said in its post. .
Unit 42 said it does not more accurately identify or describe the Western government entity Gamaredon is targeting.
No link to ‘WhisperGate’ attacks
The January 19 attack attempt by Gamaredon came less than a week after more than 70 Ukrainian government websites were targeted by the new “WhisperGate” malware family.
However, the threat actor responsible for these attacks appears to be separate from Gamaredon, Microsoft researchers said in today’s post. The Microsoft Threat Intelligence Center “did not find any indicators correlating these two actors or their operations,” the researchers said.
The US Department of Homeland Security (DHS) suggested last month that Russia may be considering a cyberattack on US infrastructure, amid tensions between the countries over Ukraine.
Estimates suggest that Russia has stationed more than 100,000 troops on Ukraine’s eastern border. On Wednesday, US President Joe Biden approved sending 3,000 additional US troops to Eastern Europe.
VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more