The Russian-linked cybercriminal group Gamaredon APT has been discovered operating on eight new malware payloads for its cyber-espionage campaign against big-time organisations based in the major cities of Ukraine.
According to researchers, eight unknown payloads were utilised by the Gamaredon APT group, also known for their past names like Armageddon and Shuckworm. They found that the new payloads are deployed since the latest malware samples have no usage in past cyberattacks.
In July last year, the threat actors initiated the cyber-espionage campaign, distributing spear-phishing emails loaded with compromised MS Word documents.
The malware-laden files deploy a VBS file that will drop a well-documented Pteranodon payload. Pteranodon is a load cultivated, propagated, and improved by Gamaredon for approximately seven years.
Furthermore, the eight new payloads are 7-zip self-extracting binaries that do not require their operators’ full attention. Four of the eight payloads are coded as deep-sunken[.]exe, z4z05jn4[.]egf[.]exe, defiant[.]exe, and descend[.]exe. On the other hand, the remaining four payloads are identically named by its developers as deep-green[.]exe, but performs different individual tasks.
Researchers said that Russia and Gamaredon APT have a long working history.
It is believed that the Russian FSB was involved during the Gamaredon cyber-espionage against Ukraine. The Ukrainian government proved this connection after their law enforcement agency identified five members of the Gamaredon hacking group working for the Russian FSB.
Additionally, researchers deemed the APT group as the culprit of more than 5,000 cyberattacks, targeting approximately 1,500 government systems in Ukraine since the early months of 2014.
Gamaredon APT attacks are very threatening since they always target military, security, law enforcement, and defence agencies to gather intelligence and confidential information. They primarily target these military sectors since they can use this for geopolitical reasons.
The recent attacks against the Ukrainian entities by the Gamaredon APT imply that it is interested in the country’s military information. The connection and involvement of the Russian government show that Gamaredon can upgrade its TTPs further.
Organizations are urged to implement strategies and necessary countermeasures to fend off these attacks.