Gamaredon: A new report released by Sentinel Labs has illustrated how the well-known pro-Russian Advanced Persistent Threat (APT) Gamaredon has improved their toolkits in previous months to continue their campaigns. Attacks from the group have ramped up against Ukrainian national security targets. Digital attacks on physical infrastructure and field hardware have been on the rise from the group since December, along with the standard cyber-espionage campaigns that are expected from Russia against Ukraine. Sentinel Labs has seen more than 5,000 unique entities in Ukraine become affected, including spyware implants found on Ukrainian government targets and reconnaissance actions against the National Ground Force Academy in Ukraine. The malware most frequently used by the group is an updated version of Pterodo, which has been developed and used by the group for some time. Pterodo is used for reconnaissance activities to collect system data and share it with its command and control (C2) server. The malware is a self-extracting zip-archive (.SFX) and the implant components contain a batch script, a binary processor, .NET component and macro payloads. Most notably in this update, the malware uses the .Net framework interoperability integrator known as Microsoft.Vbe.Interop to run macro code in Microsoft Word and Excel, with the Office applications running hidden in the background. This is a novel method to avoid anti-virus detection. The malware uses a fake digital certificate issued to “Microsoft Time-Stamp Service” and sets registry keys to allow execution of macros and disable warnings about running Visual Basic for Applications (VBA) scripts. It maintains persistence through scheduled tasks that run every 12 minutes and every 15 minutes. The malware’s C2 servers redirect traffic multiple times, using dynamic DNS to frequently change the IP address that the domain name resolves to. The first-layer domain name used by the malware is: masseffect[.]space.
By: Dan McNemar It is not a new concept that criminals use the Darknet to