CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise
Cyber Security Threat Summary:
Last week, the computer emergency response team of Ukraine (CERT-UA) released an article disclosing details about a Russian-linked threat actor known as Gamaredon (Aka Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010). Active since at least 2013, Gamaredon is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. Since the start of the Russo-Ukranian war in February 2022, Gamaredon is believed to be responsible for thousands of attacks against the government and other critical public and private organizations in Ukraine. Based on the data accumulated from these attacks, CERT-UA was able to outline the group’s tactics, which the agency recently shared to help defenders detect and stop network infiltration attempts.
Security Officer Comments:
For the initial infection chain, Gamaredon relies on emails or messaging applications like Telegram, WhatsApp, Signal to trick victims into opening malicious attachments such as HTM, HTA, and LNK files disguised as Microsoft Word or Excel documents. Opening the attachments leads to the download and execution of PowerShell scripts and malware (usually GammaSteel) on the victim’s device. The Powershell scripts are designed to target browser cookies containing session data, which further enable the hackers to bypass two-factor authentication and take over online accounts. As for GammaSteel, the malware serves as an info-stealer that is capable of exfiltration files with the .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb extensions within 30-50 minutes.
According to CERT-UA, the group also relies on USB sticks for propagation which are typically infected with Gamaredon’s initial compromise payloads. It is interesting to note that the group will plant as many as 120 malicious infected files per week on the compromised system to increase the likelihood of re-infection.
“If during the disinfection process, after cleaning the registry of the operating system, deleting files, scheduled tasks, etc., at least one infected file or document is left on the computer (quite often users reinstall the OS and transfer without checking the "necessary" documents), then the infection of the computer computer with high probability will happen again,” stated CERT-UA.
Suggested Correction(s):
In general, avoid clicking on links or attachments that come in emails or messages from unknown senders as this is the typical infection vector for Gamaredon. According to CERT-UA best way to limit the effectiveness of Gamaredon attacks is to block or restrict the unauthorized execution of mshta.exe, wscript.exe, cscript.exe, and powershell.exe.
Gamaredon IOCs:
https://cert.gov.ua/article/5160737
Link(s):
https://thehackernews.com/2023/07/cert-ua-uncovers-gamaredons-rapid-data.html