Join today’s leading executives online at the Data Summit on March 9th. Register here.
The Russia-linked threat actor Gamaredon, which is believed to have launched a cyberattack against a western government organization in Ukraine last month, is a highly agile operation that brings a strong focus on employing tactics for evading detection, according to Microsoft security researchers.
Gamaredon’s main goal appears to be cyber espionage, researchers in the Microsoft Threat Intelligence Center (MSTIC) said in a blog post today.
While Gamaredon has mainly targeted Ukrainian officials and organizations in the past, the group attempted an attack on January 19 that aimed to compromise a Western government “entity” in Ukraine, researchers at Palo Alto Networks’ Unit 42 organization reported Thursday. Gamaredon leadership includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously.
Microsoft threat researchers released their own findings on Gamaredon in the blog post today, disclosing that the group has been actively involved in malicious cyber activity in Ukraine since October 2021.
While the hacker group has been dubbed “Gamaredon” by Unit 42, Microsoft refers to the group by the name “Actinium.”
“In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations,” the threat researchers said in the post. “MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage.”
Tactics used frequently by the group include spear-phishing emails with malicious macro attachments, resulting in deployment of remote templates, the researchers said. By causing a document to load a remote document template with malicious code—the macros—this “ensures that malicious content is only loaded when required (for example, when the user opens the document),” Microsoft said.
“This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content,” the researchers said. “Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”
The Microsoft researchers report that they’ve observed numerous email phishing lures used by Gamaredon, including those that impersonate legitimate organizations, “using benign attachments to establish trust and familiarity with the target.”
In terms of malware, Gamaredon uses a variety of different strains—the most “feature-rich” of which is Pterodo, according to Microsoft. The Pterodo malware family brings an “ability to evade detection and thwart analysis” through the use of a “dynamic Windows function hashing algorithm to map necessary API components, and an ‘on-demand’ scheme for decrypting needed data and freeing allocated heap space when used,” the researchers said.
Meanwhile, the PowerPunch malware used by the group is “an agile and evolving sequence of malicious code,” Microsoft said. Other malware families employed by Gamaredon include ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown.
‘Very agile threat’
Gamaredon “quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later,” the Microsoft researchers said. “These are fast-moving targets with a high degree of variance.”
Payloads analyzed by the researchers show a major emphasis on obfuscated VBScript (Visual Basic Script), a Microsoft scripting language. “As an attack, this is not a novel approach, yet it continues to prove successful as antivirus solutions must consistently adapt to keep pace with a very agile threat,” the researchers said.
Unit 42 had reported Thursday that Gamaredon’s attempted attack against a western government organization in January involved a targeted phishing attempt.
Instead of emailing the malware downloader to their target, Gamaredon “leveraged a job search and employment service within Ukraine,” the Unit 42 researchers said. “In doing so, the actors searched for an active job posting, uploaded their downloader as a resume and submitted it through the job search platform to a Western government entity.”
Due to the “steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization,” Unit 42 said in its post.
Unit 42 has said it’s not identifying or further describing the western government entity that was targeted by Gamaredon.
No connection to ‘WhisperGate’ attacks
The attempted January 19 attack by Gamaredon came less than a week after more than 70 Ukrainian government websites were targeted with the new “WhisperGate” family of malware.
However, the threat actor responsible for those attacks appears to be separate from Gamaredon, the Microsoft researchers said in the post today. The Microsoft Threat Intelligence Center “has not found any indicators correlating these two actors or their operations,” the researchers said.
The U.S. Department of Homeland Security (DHS) last month suggested it’s possible that Russia might be eyeing a cyberattack against U.S. infrastructure, amid tensions between the countries over Ukraine.
Estimates suggest Russia has stationed more than 100,000 troops on the eastern border of Ukraine. On Wednesday, U.S. President Joe Biden approved sending an additional 3,000 U.S. troops to Eastern Europe.