The State Cyber Protection Centre of Ukraine has identified the Russian state-sponsored threat actor known as Gamaredon for its cyber attacks on public authorities and critical information infrastructure in the country. This advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has been targeting Ukrainian entities since 2013. UAC-0010's current activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts, the SCPC said. The group is currently using GammaLoad and GammaSteel spyware in their campaigns. GammaLoad is a VBScript dropper malware designed to download the next-stage VBScript from a remote server. GammaSteel is a PowerShell script that can conduct reconnaissance and execute additional commands. The goal of the attacks is more focused on espionage and information theft rather than sabotage, the agency noted. The SCPC also highlighted the group's consistent evolution of tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a key cyber threat. Attack chains start with spear-phishing emails containing a RAR archive that, when opened, activates a lengthy sequence of five intermediate stages - an LNK file, an HTA file, and three VBScript files - that eventually lead to the delivery of a PowerShell payload. Information about the IP address of the command-and-control servers is posted in periodically rotated Telegram channels, which corroborates a report from BlackBerry last month. All the analyzed VBScript droppers and PowerShell scripts, according to SCPC, are variants of GammaLoad and GammaSteel malware, respectively, allowing the adversary to exfiltrate sensitive information. The disclosure comes as the Computer Emergency Response Team of Ukraine revealed details of a new malicious campaign targeting state authorities of Ukraine and Poland. The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police in an attempt to trick visitors into downloading software that claims to detect infected computers. When the file - a Windows batch script named Protector.bat - is launched, it leads to the execution of a PowerShell script that can capture screenshots and harvest files with 19 different extensions from the workstation. CERT-UA has attributed the operation to a threat actor it calls UAC-0114, which is also known as Winter Vivern - an activity cluster that has in the past used weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts. Russia's invasion of Ukraine in February 2022 has been accompanied by targeted phishing campaigns, destructive malware strikes, and distributed denial-of-service attacks. Cybersecurity firm Trellix reported a 20-fold increase in email-based cyber attacks on Ukraine's public and private sectors in the third week of November 2022, attributing a majority of the messages to Gamaredon. Other malware families widely distributed through these campaigns include Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their own malware. As the Ukraine-Russia war continues, the cyber attacks on Ukraine's energy, government and transportation, infrastructure, financial sector etc. are ongoing, Trellix said. In times of such panic and unrest, the attackers aim to take advantage of the distraction and stress of the victims to successfully exploit them.
This Cyber News was published on thehackernews.com. Publication date: Fri, 03 Feb 2023 05:32:02 +0000