The Russian condition-sponsored cyber espionage group identified as Gamaredon has ongoing its electronic onslaught against Ukraine, with current assaults leveraging the common messaging app Telegram to strike military and legislation enforcement sectors in the nation.
“The Gamaredon group’s network infrastructure relies on multi-phase Telegram accounts for sufferer profiling and confirmation of geographic site, and then finally potential customers the victim to the future phase server for the final payload,” the BlackBerry Study and Intelligence Team explained in a report shared with The Hacker Information. “This type of technique to infect goal techniques is new.”
Gamaredon, also acknowledged by names these types of as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is identified for its assaults in opposition to Ukrainian entities since at least 2013.
Last month, Palo Alto Networks Device 42 disclosed the risk actor’s unsuccessful attempts to split into an unnamed petroleum refining organization inside a NATO member condition amid the Russo-Ukrainian war.
Attack chains mounted by the menace actor have used respectable Microsoft Business office paperwork originating from Ukrainian governing administration businesses as lures in spear-phishing emails to supply malware able of harvesting delicate data.
These files, when opened, load a malicious template from a remote resource (a system called distant template injection), efficiently obtaining all over the need to empower macros in order to breach target programs and propagate the an infection.
The hottest results from BlackBerry reveal an evolution in the group’s ways, whereby a difficult-coded Telegram channel is used to fetch the IP tackle of the server hosting the malware. The IP addresses are periodically rotated to fly underneath the radar.
To that conclude, the remote template is created to fetch a VBA script, which drops a VBScript file that then connects to the IP handle specified in the Telegram channel to fetch the next-phase – a PowerShell script that, in convert, reaches out to a distinct IP tackle to acquire a PHP file.
This PHP file is tasked with calling yet another Telegram channel to retrieve a third IP deal with that consists of the ultimate payload, which is an information and facts-thieving malware that was earlier unveiled by Cisco Talos in September 2022.
It truly is also worthy of pointing out that the closely obfuscated VBA script is only shipped if the target’s IP handle is located in Ukraine.
“The risk team variations IP addresses dynamically, which helps make it even more durable to automate examination as a result of sandbox strategies when the sample has aged out,” BlackBerry pointed out.
“The point that the suspect IP addresses transform only in the course of Jap European functioning hrs strongly suggests that the menace actor operates from 1 area, and with all chance belongs to an offensive cyber unit that deploys destructive functions towards Ukraine.”
The progress arrives as the Personal computer Emergency Reaction Team of Ukraine (CERT-UA) attributed a damaging malware attack targeting the Countrywide Information Agency of Ukraine to the Russia-connected Sandworm hacking team.
Uncovered this report attention-grabbing? Observe us on Twitter and LinkedIn to examine more exceptional written content we post.
Some parts of this article are sourced from:
thehackernews.com