Gamaredon: A new report released by Sentinel Labs has illustrated how the well-known pro-Russian Advanced Persistent Threat (APT) Gamaredon has improved their toolkits in previous months to continue their campaigns. Attacks from the group have ramped up against Ukrainian national security targets. Digital attacks on physical infrastructure and field hardware have been on the rise from the group since December, along with the standard cyber-espionage campaigns that are expected from Russia against Ukraine. Sentinel Labs has seen more than 5,000 unique entities in Ukraine become affected, including spyware implants found on Ukrainian government targets and reconnaissance actions against the National Ground Force Academy in Ukraine. The malware most frequently used by the group is an updated version of Pterodo, which has been developed and used by the group for some time. Pterodo is used for reconnaissance activities to collect system data and share it with its command and control (C2) server. The malware is a self-extracting zip-archive (.SFX) and the implant components contain a batch script, a binary processor, .NET component and macro payloads. Most notably in this update, the malware uses the .Net framework interoperability integrator known as Microsoft.Vbe.Interop to run macro code in Microsoft Word and Excel, with the Office applications running hidden in the background. This is a novel method to avoid anti-virus detection. The malware uses a fake digital certificate issued to “Microsoft Time-Stamp Service” and sets registry keys to allow execution of macros and disable warnings about running Visual Basic for Applications (VBA) scripts. It maintains persistence through scheduled tasks that run every 12 minutes and every 15 minutes. The malware’s C2 servers redirect traffic multiple times, using dynamic DNS to frequently change the IP address that the domain name resolves to. The first-layer domain name used by the malware is: masseffect[.]space.
Analyst Notes
Gamaredon is a pro-Russian threat group, likely state-sponsored, that has been seen carrying out attacks for years. With a primary focus in Ukraine, it has substantially ramped up its campaign in the past months and revised its malware to better serve their needs. Since this group has only ever been seen targeted Ukraine entities, there is a low chance that campaigns would spill over into other countries, but that does not mean that the malware could not be used by other Russian state-sponsored actors. The malware uses novel methods to avoid detection by anti-virus, but its behaviors would be caught by Managed Detection and Response (MDR) tools. As a precaution, companies should utilize a monitoring service to their network that can find and stop intrusions of reconnaissance tools such as Pterodo. Binary Defense’s Managed Detection and Response with 24/7/365 monitoring from our Security Operations Center would be able to identify these types of threats quickly and greatly reduce the amount of damage that can be done. The full report from Sentinel Labs can be found here: https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/
