Gamaredon, a Russian-linked APT group aka Armageddon, continues to target Ukrainian entities with GammaLoad, a PowerShell info-stealer malware. The ongoing cyber espionage campaign was confirmed by the Ukrainian Emergency Response Team.
Although the Gamaredon gang was initially identified by researchers in 2015, this Russia-backed advanced persistent threat (APT) has been operating since at least 2013. The group specifically targeted Ukrainian military and political institutions.
Gamaredon’s activity has continued uninterrupted throughout the sixth month of the conflict (Cyber warfare), with the most recent round of strikes lasting from July 15 to August 8, 2022.
The most latest infection vector consists of phishing emails that contain a self-extracting 7-Zip package that downloads an XML file from a “xsph.ru” subdomain. The PowerShell info-stealer that is executed as a result of the XML file has multiple significantly modified variations, most likely an attempt to avoid discovery.
“The downloading of the XML file onto victim networks was followed by the execution of a PowerShell stealer. We saw three versions of the same PowerShell stealer appear on the one system.It’s possible the attackers may have deployed multiple versions of the stealer, which were all very similar, as an attempt to evade detection.” according to analysis published recently.
The hosted files were on a subdomain that has been linked to Shuckworm activity since May 2022. GammaLoad.PS1 v2 is a PowerShell stealer malware that the attackers used as their final payload.
Additionally, the Gamaredon trademark tool, the Pterodo backdoor, as well as, in some cases, the Giddome backdoor, were downloaded by the Russian hackers using VBS downloaders. These backdoors provide the attackers the ability to capture screenshots from the desktop, log and steal keystrokes, download and run additional “.exe” and “.dll” payloads, and record audio via the host’s microphone.
In this recent campaign, threat actors were seen using legitimate remote desktop protocol utilities ‘Ammyy Admin’ and ‘AnyDesk’ to get remote access.
“Shuckworm’s long-term emphasis on Ukraine looks to be continuing unabated as the Russian invasion reaches the six-month mark. The fact that this latest effort continues even after CERT-UA reported it demonstrates that the group’s fear of exposure does not deter it from its activities. While Shuckworm is not the most operationally proficient espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations.” They conclude.