The Gamaredon group, believed to be linked with Russia, is using eight new malware payloads for its recent cyber-espionage operations. The observed attacks were aimed toward Ukrainian entities.
The recent campaign
Researchers at Symantec analyzed a recent campaign in which eight new malware samples were used by Gamaredon (aka Shuckworm or Armageddon).
The attacks started in July 2021 with the spread of spear-phishing emails laden with macro-laced Word documents.
These files launch a VBS file that eventually drops a well-documented backdoor, known as Pteranodon, that was developed and improved by Gamaredon for around seven years.
All eight files are 7-zip self-extracting binaries that require minimal user interaction.
Four of the eight files are named descend[.]exe, deep-sunken[.]exe, z4z05jn4[.]egf[.]exe, and defiant[.]exe. The rest files the same name—deep-green[.]exe— however, they perform different tasks.
The Russian connection
For a long time, researchers believe that Gamaredon is linked to Russia.
A recent report from the SSU also claimed the involvement of the Russian FSB in the attacks on Ukraine.
In November 2021, Ukrainian government agencies disclosed the identity of five members of the Gamaredon hacking group allegedly working for the Russian federal agency, FSB.
Moreover, Gamaredon is thought to be behind more than 5,000 attacks, targeting more than 1,500 government systems based in Ukraine since 2014.
Their most attacks are aimed at security, defense, and law enforcement agencies to harvest intelligence and sensitive information from the infected systems for geopolitical interests.
Ending notes
The frequent attacks on Ukrainian entities by the Gamaredon group show its keen interest in the region. Moreover, the involvement of Russian interests indicates that this group has the potential to further improve its tools or techniques. Therefore, organizations are suggested to implement a proactive strategy and well-defined countermeasures.