Gamaredon Group Organizes Attacks Through Telegram
Category: Russia & Ukraine | Industries: Aerospace, Critical Infrastructure, Government | Level: Tactical | Source: BlackBerry
The Russian cyberespionage group, 'Gamaredon Group' has been recognized as a persistent threat to Ukraine targeting the country since 2013, and recently has been ramping up its efforts due to the Russian and Ukraine war. Analysis from BlackBerry, identified "the group has been actively targeting the Ukrainian government lately, relying on the infrastructure of the popular messaging service Telegram to bypass traditional network traffic detection techniques without raising obvious flags." Gamaredon distributes weaponized documents to targets masquerading as various Ukrainian entities such as the Ukrainian police, an aerospace firm, ministries, and a government organization.
A spear-phishing campaign observed by BlackBerry discovered Gamardeon threat actors exploiting a remote template injection vulnerability in order to bypass Microsoft macro protections. When executed a network check is conducted to ensure the victim host has a Ukrainian IP address and a VBS file will be downloaded to drop implants and connect to a hardcoded Telegram account. "Each Telegram account periodically deploys new IP addresses. In an interesting twist, our findings confirm that this only happens during regular working hours in Eastern Europe. This indicates that this is very likely a human-operated activity rather than an automated one." The next stage download is predicated on the IP address received. One payload observed was a PowerShell script used to download a PHP script and establish persistence in the Run registry key.
- Malicious File Delivering Malware
Anvilogic Use Cases:
- Malicious Document Execution
- Wscript/Cscript Execution
- New AutoRun Registry Key