Russian APT Gamaredon A Critical Player Against Ukraine
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Palo Alto Unit42
Palo Alto Unit42 researchers have maintained focus on the Russian advanced persistent threat (APT) group, Gamaredon (aka Primitive Bear, Shuckworm, Trident Ursa, UAC-0010), since the beginning of the Russia and Ukraine war in February 2022. Over the past ten months, Gamaredon has proven itself as a vital component in the war conducting numerous campaigns against Ukraine. "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," as stated by Unit42. Highlights of their activity are noted as the compromise of a NATO petroleum company on August 30th, threatening a group of security researchers on Twitter, the use of fast-flux DNS and a Telegram messenger to lookup command and control (C2) IP addresses as well as other changes to the group's tactics, techniques, and procedures (TTPs).
Campaigns launched against Ukraine are often converted to the Ukrainian language however, some English-themed lures were also observed. Their network infrastructure outside of Russia, use virtual private servers (VPS) from DigitalOcean (AS14061) and The Constant Company (AS20473). Although the majority of their infrastructure is registered in Russia, as discovered by Unit42 "Over 96% of Trident Ursa’s domains continue to be registered and under the DNS of the Russian company reg[.]ru that – to date – has taken no action to block or deny this malicious infrastructure."
Phishing campaigns initiated by Gamaredon have attached HTML files to drop a compressed archive file or Word documents to download a remote template. Living-off-the-land binaries (LOLBins) such as MSHTA or VBScript help support the infection chain and enable communication with the attacker's C2. To thwart analysis from security researchers, geoblocking is implemented by Gamaredon to prevent file downloads from specific locations and nodes from popular VPN services like ExpressVPN and NordVPN were also found to be blocked. Whilst preventive measures are taken in some operations, Gamaredon operators don't typically exhibit this type of care. "This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again – often even reusing previous samples."
- Malicious File Delivering Malware
Anvilogic Use Cases:
- Symbolic OR Hard File Link Created
- MSHTA.exe execution
- Suspicious Registry Key Created