A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities.
The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon.
According to the Knownsec 404 Advanced Threat Intelligence team, the attacks leverage content related to military facilities as lures to drop UltraVNC, allowing threat actors to remotely access the compromised hosts.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine,” the company said in a report published last week.
The disclosure arrives nearly four months after Kaspersky revealed that Russian government agencies and industrial entities have been the target of Core Werewolf, with the spear-phishing attacks paving the way for the MeshCentral platform instead of UltraVNC.
The starting point of the attack chain mirrors the one detailed by the Russian cybersecurity company wherein a self-extracting (SFX) archive file created using 7-Zip acts as a conduit to drop next-stage payloads. This includes a batch script that’s responsible for delivering UltraVNC, while also displaying a decoy PDF document.
The UltraVNC executable is given the name “OneDrivers.exe” in a likely effort to evade detection by passing it off as a binary associated with Microsoft OneDrive.
Knownsec 404 said the activity shares several similarities with Core Werewolf campaigns, including using 7z-SFX files to install and execute UltraVNC, port 443 to connect to the server, and the use of the EnableDelayedExpansion command.
“Since its exposure, this organization has frequently mimicked the TTPs used by the Gararedon organization and cleverly used open-source tools as a shield to achieve its own goals while confusing the public,” the company said.
GamaCopy is one of the many threat actors that have targeted Russian organizations in the wake of the Russo-Ukrainian war, such as Sticky Werewolf (aka PhaseShifters), Venture Wolf, and Paper Werewolf.
“Groups like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for their relentless phishing campaigns aimed at data theft,” Positive Technologies’ Irina Zinovkina said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks