The State Cyber Protection Centre (SCPC) of Ukraine has known as out the Russian state-sponsored menace actor referred to as Gamaredon for its focused cyber assaults on public authorities and important data infrastructure within the nation.
The superior persistent menace, also called Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a observe report of hanging Ukrainian entities relationship way back to 2013.
“UAC-0010 group’s ongoing exercise is characterised by a multi-step obtain strategy and executing payloads of the spyware and adware used to take care of management over contaminated hosts,” the SCPC stated. “For now, the UAC-0010 group makes use of GammaLoad and GammaSteel spyware and adware of their campaigns.”
GammaLoad is a VBScript dropper malware engineered to obtain next-stage VBScript from a distant server. GammaSteel is a PowerShell script that is able to conducting reconnaissance and executing extra instructions.
The purpose of the assaults is geared extra in direction of espionage and data theft fairly than sabotage, the company famous. The SCPC additionally emphasised the “insistent” evolution of the group’s ways by redeveloping its malware toolset to remain below the radar, calling Gamaredon a “key cyber menace.”
Attack chains begin with spear-phishing emails carrying a RAR archive that, when opened, prompts a prolonged sequence comprising 5 intermediate levels – an LNK file, an HTA file, and three VBScript recordsdata – that finally culminate within the supply of a PowerShell payload.
Information pertaining to the IP handle of the command-and-control (C2) servers is posted in periodically rotated Telegram channels, corroborating a report from BlackBerry late final month.
All the analyzed VBScript droppers and PowerShell scripts, per SCPC, are variants of GammaLoad and GammaSteel malware, respectively, successfully allowing the adversary to exfiltrate delicate data.
The disclosure comes because the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed particulars of a brand new malicious marketing campaign focusing on state authorities of Ukraine and Poland.
The assaults take the type of lookalike internet pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an try to trick guests into downloading software program that claims to detect contaminated computer systems.
However, upon launching the file – a Windows batch script named “Protector.bat” – it results in the execution of a PowerShell script that is able to capturing screenshots and harvesting recordsdata with 19 completely different extensions from the workstation.
CERT-UA has attributed the operation to a menace actor it calls UAC-0114, which is also called Winter Vivern – an exercise cluster that has prior to now leveraged weaponized Microsoft Excel paperwork containing XLM macros to deploy PowerShell implants on compromised hosts.
Russia’s invasion of Ukraine in February 2022 has been complemented by focused phishing campaigns, harmful malware strikes, and distributed denial-of-service (DDoS) assaults.
Cybersecurity agency Trellix stated it noticed a 20-fold surge in email-based cyber assaults on Ukraine’s private and non-private sectors within the third week of November 2022, attributing a majority of the messages to Gamaredon.
Other malware households prominently disseminated by way of these campaigns encompass Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their very own malware.
“As the Ukraine-Russia struggle continues, the cyber assaults on Ukraine power, authorities and transportation, infrastructure, monetary sector and so on. are happening constantly,” Trellix stated. “In occasions of such panic and unrest, the attackers intention to capitalize on the distraction and stress of the victims to efficiently exploit them.”