Cybersecurity researchers observing the cyberattacks against Ukraine reported an ongoing hacking operation from the Russian-sponsored Gamaredon group. Reports revealed that Gamaredon has been targeting Ukraine for nearly a decade and is responsible for numerous attacks against the private and public entities of the country.
The attackers’ malicious activities have compromised Ukrainian firms with cyberattacks since the start of the Russian invasion. The group’s latest infection vector involves phishing messages containing a self-extracting 7-Zip file that recovers an XML archive from an “xsph[.]ru” subdomain.
Subsequently, the XML file will lead to the execution of a PowerShell infostealer, slightly altered by the Gamaredon operators, to bypass security detections. In addition, the Russian threat group utilised VBS downloaders to recover the Pterodo backdoor, one of Gamaredon’s kits, and in other cases, a Giddome backdoor.
These backdoors enable the threat actors to record audio through the infected host’s microphone, capture screenshots from the desktop, and log and exfiltrate keystrokes. The tool can also download and run additional [.]dll and [.]exe payloads.
Moreover, in the recent attacks, the Gamaredon hackers were spotted by researchers launching the authentic legitimate remote desktop protocol tools’ AnyDesk and Ammyy Admin. Fortunately, none of these tactics is new, implying that Gamaredon lacks the sophistication in conducting its modern cybercriminal attacks.
Despite the lack of sophistication, Gamaredon still accomplishes its attacks through phishing operations.
Ukraine’s emergency response team for cybersecurity reported that in the latest Gamaredon activity, the actors conducted a new phishing campaign that relies on HTM attachments from malicious email accounts.
The country’s security team also observed an infection chain with PowerShell info stealers trying to steal troves of data on multiple web browsers. Gamaredon also employed an interesting tactic that attempted to modify the Normal[.]dotm file on the user via a specially designed macro.
The file is the default MS Word template; therefore, modifying it will give it the potential to lace all documents developed on the compromised device with malicious codes.
This strategy indicates that Gamaredon uses its victims as new sources of infection since unaware receivers will most likely open the laced documents sent by somebody they know or trust.