Microsoft discloses new details on Russiaacker group Gamaredon
-
Loading... - Kylie Smith
- 07 Feb 2022
- 423 Views
- 0 Like
- 0 Comment
The Russia-linked threat actor Gamaredon, which is believed to have launched a cyberattack against a western government organization in Ukraine last month, is a highly agile operation that brings a strong focus on employing tactics for evading detection, according to Microsoft security researchers.
Gamaredon’s main goal appears to be cyber espionage, researchers in the Microsoft Threat Intelligence Center (MSTIC) said in a blog post today.
While Gamaredon has mainly targeted Ukrainian officials and organizations in the past, the group attempted an attack on January 19 that aimed to compromise a Western government “entity” in Ukraine, researchers at Palo Alto Networks’ Unit 42 organization reported Thursday. Gamaredon leadership includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously.
Microsoft threat researchers released their own findings on Gamaredon in the blog post today, disclosing that the group has been actively involved in malicious cyber activity in Ukraine since October 2021.
While the hacker group has been dubbed “Gamaredon” by Unit 42, Microsoft refers to the group by the name “Actinium.”
“In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations,” the threat researchers said in the post. “MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage.”
Evading detection
Tactics used frequently by the group include spear-phishing emails with malicious macro attachments, resulting in deployment of remote templates, the researchers said. By causing a document to load a remote document template with malicious code—the macros—this “ensures that malicious content is only loaded when required (for example, when the user opens the document),” Microsoft said.
“This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content,” the researchers said. “Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”
The Microsoft researchers report that they’ve observed numerous email phishing lures used by Gamaredon, including those that impersonate legitimate organizations, “using benign attachments to establish trust and familiarity with the target.”
In terms of malware, Gamaredon uses a variety of different strains—the most “feature-rich” of which is Pterodo, according to Microsoft. The Pterodo malware family brings an “ability to evade detection and thwart analysis” through the use of a “dynamic Windows function hashing algorithm to map necessary API components, and an ‘on-demand’ scheme for decrypting needed data and freeing allocated heap space when used,” the researchers said.
Meanwhile, the PowerPunch malware used by the group is “an agile and evolving sequence of malicious code,” Microsoft said. Other malware families employed by Gamaredon include ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown.
‘Very agile threat’
Gamaredon “quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later,” the Microsoft researchers said. “These are fast-moving targets with a high degree of variance.”
Payloads analyzed by the researchers show a major emphasis on obfuscated VBScript (Visual Basic Script), a Microsoft scripting language. “As an attack, this is not a novel approach, yet it continues to prove successful as antivirus solutions must consistently adapt to keep pace with a very agile threat,” the researchers said. Read More…
