Russian hackers have targeted Ukrainian entities with never-before-seen information-stealing malware in a new, still-active spy campaign.
Cisco Talos security researchers attribute the campaign to Gamaredon, a Russian state-backed threat group that has long primarily targeted Ukrainian government organizations, critical infrastructure, defense, security and law enforcement. .
Also known as Primitive Bear, Shuckworm, IronTiden, and Callisto, Gamaredon relies on social engineering and spear phishing to establish long-term access to victim systems.
New malware in Gamaredon toolbox
The threat group is known to develop malware (e.g. malicious scripts, infostealers, backdoors) that are used exclusively in its campaigns.
Cisco Talos attributed a newly observed (August 2022) spy campaign to Gamaredon and noticed the use of a new information stealer that can extract specific file types from victim computers as well as deploy additional malware.
“This is a new infostealer that Gamaredon has not used before in other campaigns. We suspect it could be a component of Gamaredon’s ‘Giddome’ family of backdoors, but we are unable to confirm this at this time” – Cisco Talos
The new malware has clear instructions to steal files with the following extensions: .DOC, .DOCX, .XLS, .RTF, .ODT, .TXT, .JPG, .JPEG, .PDF, .PS1, .RAR, . ZIP, .7Z AND .MDB.
It is provided by a PowerShell script similar to the one described in a recent CERT Ukraine alert about Gamaredon intrusions in the first half.
Cisco Talos says Gamaredon’s new infostealer can exfiltrate files from attached storage devices (local and remote), making each stolen file a POST request with metadata and its contents.
When recursively enumerating all files in directories, the malware avoids system folders to focus only on files of interest to the threat actor.
The researchers noticed that the infostealer can also download additional files from the command and control (C2) server, which provide instructions on how the data provided should be handled.
If the payload is an executable (marked with “1”), the file is written to disk and executed. An alternative is a VBS file (marked with “2”), which is also written to disk and launched using Windows Script Host (wscript.Exe).
A third option is a data blob, which is marked with a value other than “1” or “2” and is stored in the Windows temporary folder.
Cisco Talos notes that an indication of the presence of the Gamaredon malware on the system is a registry key called “Windows Task” to be run at login, and a mutex called “Global\flashupdate_r”.
The Gamaredon infostealer was added to the Virus Total database just over a month ago and is currently detected by at least 50 antivirus engines.
Hackers deliver the malware through phishing emails containing Microsoft Office documents with malicious VBS macros.
VBS code is hidden in remote templates and executed when opening the document, downloading RAR archives with LNK files.
LNK files and Microsoft Office documents have names referring to the Russian invasion of Ukraine.
The purpose of LNK files is to run mshta.exe to download and parse remote XML that runs a malicious PowerShell script from a Russian domain (xsph[.]ru) that Gamaredon has used for past spy campaigns.
Another PowerShell script is downloaded and executed to collect data (computer name, volume serial number, base64 encoded screenshot) from the victim and send it to a remote server.
Cisco Talos has provided a list of Indicators of Compromise for Malicious Documents, LNK Files, RAR Archives, New Infostealer, URLs, and Payload Drop Sites.
Organizations can use IoCs to defend their organizations against espionage campaigns that Gamaredon can deploy.