Gamaredon, the Russia-backed advanced persistent threat (APT) threat actor that has been active since at least 2013 has reinforced its surreptitious cyber warfare activities for gathering intelligence on the Ukrainian national security and military forces through enhanced tools, techniques, and tactics. Functioning as a proxy for the Russian intelligence, Gamaredon is known to conduct espionage attacks on Ukrainian military forces, thereby giving pro-Russian forces a competitive edge on account of the intelligence amassed by the group.
Recently, Cyble Research Team observed a new surge of Gamaredon APT attacks targeting the Ukrainian national security force with spear-phishing emails. The attached exploit document delivers additional payload and sadly, the spear-phishing email is marked as ‘clean’ by Kaspersky Secure Mail Gateway. As shown in the figure below, the email header information further affirms that the threat actor is originating from Russia.
Figure 1: Target email of Gamaredon Campaign
As shown in Figure 2, the VT intelligence hook graph clearly depicts the link of the smtp server that targets towards the Ukrainian server named “ssu.gov.ua”.
Figure 2: Hook diagram of Threat Actor
At the time of analysis, the malicious document file only had a few endpoint detections, as depicted in figure 3.
Figure 3: VT coverage of malicious document
The exploit document employs the template injection technique to install additional malware on the victim’s machine. Upon opening the document, it connects back to the hacker’s server “srv166997[.]hoster-test[.]ru” to download the payload file named “HIXOzc.dot“, as demonstrated in the image below.
Figure 4: Template injection connects back to C2 server
The APT group has remained active since 2013, with several Gamaredon-related activities reported on the first quarter of 2020. The latest attack by the threat group has a similar infection flow as identified in the APT group’s earlier Covid-19 campaign with minor changes in the email header and subject. Here is the high-level infection flow of the threat actor:
- It starts with a spear-phishing email with a malicious document that targets victims.
- The exploit document delivers additional payload through the template injection technique.
- The installed payload performs malicious actives as per the hacker’s command.
The Gamaredon group is characterized by the continuous enhancement of its technical capabilities, persistent targeting of the Ukrainian national security entities, and it sets an illustrative example of cyber warfare between two nations.
Cyble Research team is continuously monitoring to harvest threat indicators/TTP’s of Emerging APT’s in the wild to ensure that targeted organizations are well informed and proactively protected.
Indicators of Compromise (IoCs)
1bfaec25ad02e0c25323ef0427fef804 – №23 01-12 38 від 05.10.2020.eml
8e575b76cbd9d7b7b41080991aafd663 – Malicious document
00193e6e5daddd26d2417ad49038b2ae – Hack-Loader2.exe
Srv166997[.]hoster-testru/decidedly/seen/days/grown/HBHoFp[.]dot – template injection network destination
Sakidus[.]myftp[.]org/KyVJhg[.]dot – Template injection network destination
Moris[.]hopto[.]org/post/win/SBuTcj[.]dot – Template injection network destination
srv159232[.]hoster-test[.]ru/json[.]php – C2 communication
31.28.24[.]131 – C2
MITRE ATT&CK Framework
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.