Rewterz Threat Alert – APT Group Gamaredon Targeting Ukraine With A New InfoStealer – Active IOCs

Severity

High

Analysis Summary

Gamaredon is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine. The exploit document uses the template injection technique to infect the victim’s computer with further malware. When the document is opened, it connects to the hacker’s server and downloads the payload file. Gamaredon’s tools are simple and designed to collect sensitive information from hacked systems and propagate it further. Its information-gathering efforts are nearly comparable to those of a second-tier APT, whose primary purpose is to collect and disseminate information with their units. The Gamaredon APT group’s current attack leverages a decree document from the Russian Federation government as bait. This APT group continues to target Ukraine, in its latest campaign, threat actors used sfx file disguised as a word icon, clicked to launch batch file to release legal digital signature file VNC remote control. This group has shown no signs of being interested in adopting crimeware tactics to monetize their operation; instead, their primary focus has been on espionage.

Gamaredon APT threat actor has recently started using a new custom information-stealing malware to target employees of the Ukrainian government, defense, and law enforcement institutions. 

The group uses malicious LNK files delivered in RAR packages to target users in Ukraine. Threat actors use phishing documents with lures connected to the Russian invasion of Ukraine in order to spread further payloads and exfiltrate data. They utilized VBScript, PowerShell, and LNK files to get initial access to the target before deploying malicious payloads after infection.

Gamaredon APT attackers most likely entered targeted networks by phishing emails that contained malicious Microsoft Office documents. This is in line with the spear-phishing methods used often by this APT. The APT gang uses malicious VBScript macros in weaponized Microsoft Office documents with remote templates. The next-stage malware is downloaded and activated by the macros after they open and download LNK files from RAR packages. 

According to researchers,

The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.

One of the executables that the attackers used to spread their malware via the PowerShell script had an information stealer that exfiltrated files with the following extensions from the infected endpoint: doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb.

According to experts, this infostealer was not a part of earlier activities linked to Gamaredon. It is a speculative claim that it could be a component of Gamaredon’s “Giddome” backdoor family, but they do not yet have any supportive evidence.

Once started, the malware scans all attached storage devices looking for files with the aforementioned extensions. For each one, the malware makes a POST request with metadata about the exfiltrated file and its content.” concludes the report 

Since its debut in 2013, Gamaredon has continued to be a prolific group that doesn’t seem to be deterred by the raising attention of its actions. This gang has also targeted educational institutions in U.S, European telecom companies, and large hosting companies in Africa.

Impact

• Template Injection
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• fa8009ec4b46e0469fb42a58032fcdf7
• f46a6211920dd75729aaee4ac9cd0856
• c51ffce3241cee45a861c214670e3ea7
• a56d1a1a42aa75ff52412668bf64f5c9

SHA-256

• 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
• a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
• 8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
• be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7

SHA-1

• 714cd57e5a9ee053774d322ff936d906c8e4172e
• ff73c02c31e4930c5567ad049cfdf7f7c2ca49ab
• 33f62833476b0931d36c9c109ecc60e860e9bffb
• 8ac09bb48650919ad12253e5e43d56835ce12700

URL

• http[:]//a0704093[.]xsph[.]ru/basement/insufficient[.]xml
• http[:]//a0704093[.]xsph[.]ru/bass/grudge[.]xml
• http[:]//a0705076[.]xsph[.]ru/ramzeses1[.]html
• http[:]//a0705076[.]xsph[.]ru/regiment[.]txt
• http[:]//a0705269[.]xsph[.]ru/bars/dearest[.]txt

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.