The Russia-linked Gamaredon group tried to unsuccessfully break into a big petroleum refining firm inside a NATO member state earlier this yr amid the continuing Russo-Ukrainian battle.
The assault, which befell on August 30, 2022, is only one of a number of assaults orchestrated by the superior persistent menace (APT) that is attributed to Russia’s Federal Security Service (FSB).
Gamaredon, additionally identified by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a historical past of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to reap delicate information.
“As the battle has continued on the bottom and in our on-line world, Trident Ursa has been working as a devoted entry creator and intelligence gatherer,” Palo Alto Networks Unit 42 stated in a report shared with The Hacker News. “Trident Ursa stays probably the most pervasive, intrusive, repeatedly lively and targeted APTs concentrating on Ukraine.”
Unit 42’s continued monitoring of the group’s actions has uncovered greater than 500 new domains, 200 malware samples, and a number of shifts in its ways over the previous 10 months in response to ever-changing and increasing priorities.
Beyond cyberattacks, the bigger safety group is claimed to have been on the receiving finish of threatening tweets from a purported Gamaredon affiliate, highlighting the intimidation strategies adopted by the adversary.
Other noteworthy strategies embody using Telegram pages to lookup command-and-control (C2) servers and quick flux DNS to rotate by many IP addresses in a brief span of time to make IP-based denylisting and takedown efforts more durable.
The assaults themselves entail the supply of weaponized attachments embedded inside spear-phishing emails to deploy a VBScript backdoor on the compromised host that is able to establishing persistence and executing extra VBScript code equipped by the C2 server.
Gamaredon an infection chains have additionally been noticed leveraging geoblocking to restrict the assaults to particular places together with using dropper executables to launch next-stage VBScript payloads, which subsequently hook up with the C2 server to execute additional instructions.
The geoblocking mechanism capabilities as a safety blindspot because it reduces the visibility of the menace actor’s assaults outdoors of the focused international locations and makes its actions harder to trace.
“Trident Ursa stays an agile and adaptive APT that doesn’t use overly refined or complicated strategies in its operations,” the researchers stated. “In most circumstances, they depend on publicly out there instruments and scripts – together with a big quantity of obfuscation – in addition to routine phishing makes an attempt to efficiently execute their operations.”