Gamaredon, also known as Armageddon or Shuckworm, is a group of Russian hackers that is thought to be a part of the FSB’s 18th Center for Information Security. The well-known Russian state-backed hacking group “Gamaredon” is still actively targeting the unstable country, according to threat analysts monitoring assaults against Ukraine. Russian action against Ukrainian targets has intensified since the Russian invasion in February 2022, including phishing efforts and the use of modern malware variants. The specialized threat group has been concentrating on Ukraine since 2014 and is believed to be responsible for hundreds of attacks on important public and private entities there.
Gamaredon’s activities are still going strong in the sixth month of the battle, according to a report released today by Symantec, a part of Broadcom Software. The most recent round of strikes lasted between July 15 and August 8, 2022. The most recent attack vectors are phishing emails that use a self-extracting 7-Zip bundle to download an XML file from an “xsph.ru” subdomain related to Gamaredon since May 2022. According to Symantec, the XML file executes a PowerShell info-stealer that has been significantly changed, possibly in an effort to avoid detection.
The computer emergency response team (CERT-UA) for Ukraine found a brand-new phishing attempt last week that made use of HTM attachments obtained from compromised email accounts. They discussed current Gamaredon actions as well. Web browser data is being attempted to be stolen by PowerShell info-stealers, according to CERT-analysis UA’s of the infection chain. The unique technique used by Gamaredon to alter the “Normal.dotm” file on the host using a specially made macro was uncovered by Ukraine’s cybersecurity agency.
The Russian hackers also acquired the Giddome backdoor and, in certain cases, the Pterodo backdoor via VBS downloaders, two of Gamaredon’s signature tools. These backdoors enable the attackers to download and run more “.exe” and “.dll” payloads, log and steal keystrokes, take images of the host’s desktop, download and run additional “.exe” and “.dll” payloads, and record audio via the host’s microphone.
Last but not least, hackers were observed employing the reputable remote desktop protocol tools “AnyDesk” and “Ammyy Admin” during the most recent campaign.
