Security experts at Microsoft think that Gamaredon, a Russian-linked threat actor suspected of launching a cyberattack on a western government entity in Ukraine last month, is a very agile operation that places a high priority on using strategies to evade detection.
Researchers at Microsoft’s Threat Intelligence Center (MSTIC) said in a blog post today that Gamaredon seems to be primarily focused on cyber espionage.
Gamaredon has previously targeted Ukrainian people and groups, but researchers at Palo Alto Networks’ Unit 42 organisation stated Thursday that the group conducted an assault on January 19 intended at compromising a Western government “entity” in Ukraine. According to the Ukrainian Security Service, Gamaredon’s top brass comprises five Russian Federal Security Service officials.
It was revealed today in a blog post by Microsoft’s security analysts that the Gamaredon organisation has been actively participating in harmful cyber operations against Ukraine since October 2021.
Microsoft refers to the hacking group as “Actinium,” whilst Unit 42 refers to the group as “Gamaredon.”
Threat researchers at MSTIC said in a blog post that they’ve seen evidence of the malware ACTINIUM infiltrating a wide range of Ukrainian institutions including the judicial, law enforcement and non-profit sectors, and they believe it’s primarily focused on stealing sensitive data and gaining lateral access. ACTINIUM has been operating out of Crimea with cyber espionage in mind, according to MSTIC.
Getting away from spies
According to the researchers, spear-phishing emails containing malicious macro attachments are regularly utilised by the gang. This results in the deployment of remote templates. It is possible to prevent dangerous material from being loaded into a document unless a user specifically requests it (for example, when the user opens the page).
Static detections, such as those used by systems that scan attachments for malicious material, are made more difficult by this technique, according to the researchers. To further evade detection, the malicious macro may be hosted remotely by an attacker, giving them complete control over when and how the harmful component is supplied.
Many email phishing lures, including some that spoof reputable businesses, are being utilised by Gamaredon to create trust and familiarity with the victim, according to Microsoft researchers.
Gamaredon employs a wide range of malware strains, the most “feature-rich” of which is Pterodo, according to Microsoft. According to the researchers, Pterodo malware uses a “dynamic Windows function hashing method to map essential API components and a ‘on-demand’ strategy for decrypting needed data and clearing allotted memory space when utilised” to avoid detection and analysis.
“An agile and changing sequence of harmful code” is how Microsoft describes the PowerPunch virus utilised by the gang.” A number of other Gamaredon virus families are also in use, such as the ObfuMerry and ObfuBerry families.
‘Extremely nimble threat’
According to Microsoft researchers, Gamaredon “rapidly develops new disguised and lightweight capabilities to spread increasingly complex malware.” “These are targets that move quickly and have a lot of volatility.”
Obfuscated VBScript (Microsoft’s scripting language) is a primary focus of the researchers’ analysis of payloads. While this strategy isn’t new, “antivirus systems must constantly evolve to stay pace with a highly nimble adversary,” the researchers stated.
Gamaredon’s attempted phishing assault on a Western government institution in January was disclosed by Unit 42 on Thursday.
By using an employment agency in Ukraine, Gamaredon instead of sending the malware downloader to its victim, the Unit 42 researchers stated. This was done by searching for an open position, uploading their downloader as a résumé, and sending it to a Western government agency through a job search portal.”
Since the campaign was so well-executed, it seems that Gamaredon was deliberately trying to weaken this Western government institution, Unit 42 concluded in its article.
To yet, neither Gamaredon nor Unit 42 have been able to pin down a specific Western government body as the subject of their vengeful attention.
‘WhisperGate’ assaults are unrelated to this incident
Gamaredon’s attempted assault on January 19 occurred less than a week after the new “WhisperGate” family of malware hit more than 70 Ukrainian government websites.
In today’s publication, Microsoft researchers said the threat actor behind those assaults seems to be independent from Gamaredon. These two actors or their actions have not been linked by the Microsoft Threat Intelligence Center, the researchers stated.
According to the Department of Homeland Security (DHS), Russia may be planning a cyberattack on US infrastructure as tensions rise between the two nations.
More than 100,000 Russian soldiers are said to be stationed along Ukraine’s eastern border. U.S. President Joe Biden ordered the deployment of an extra 3,000 soldiers to Eastern Europe on Wednesday.