The Russian state-sponsored cyber espionage group often called Gamaredon has continued its digital onslaught in opposition to Ukraine, with latest assaults leveraging the favored messaging app Telegram to strike navy and regulation enforcement sectors within the nation.
“The Gamaredon group’s community infrastructure depends on multi-stage Telegram accounts for sufferer profiling and affirmation of geographic location, after which lastly leads the sufferer to the following stage server for the ultimate payload,” the BlackBerry Analysis and Intelligence Staff stated in a report shared with The Hacker Information. “This type of method to contaminate goal methods is new.”
Gamaredon, additionally recognized by names reminiscent of Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is understood for its assaults geared toward Ukrainian entities since not less than 2013.
Final month, Palo Alto Networks Unit 42 disclosed the menace actor’s unsuccessful makes an attempt to interrupt into an unnamed petroleum refining firm inside a NATO member state amid the Russo-Ukrainian struggle.
Assault chains mounted by the menace actor have employed professional Microsoft Workplace paperwork originating from Ukrainian authorities organizations as lures in spear-phishing emails to ship malware able to harvesting delicate data.
These paperwork, when opened, load a malicious template from a distant supply (a way referred to as distant template injection), successfully getting round the necessity to allow macros with the intention to breach goal methods and propagate the an infection.
The most recent findings from BlackBerry show an evolution within the group’s ways, whereby a hard-coded Telegram channel is used to fetch the IP tackle of the server internet hosting the malware. The IP addresses are periodically rotated to fly beneath the radar.
To that finish, the distant template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP tackle specified within the Telegram channel to fetch the next-stage – a PowerShell script that, in flip, reaches out to a special IP tackle to acquire a PHP file.
This PHP file is tasked with contacting one other Telegram channel to retrieve a 3rd IP tackle that incorporates the ultimate payload, which is an information-stealing malware that was beforehand revealed by Cisco Talos in September 2022.
It is also price stating that the closely obfuscated VBA script is simply delivered if the goal’s IP tackle is positioned in Ukraine.
“The menace group adjustments IP addresses dynamically, which makes it even tougher to automate evaluation by way of sandbox methods as soon as the pattern has aged out,” BlackBerry identified.
“The truth that the suspect IP addresses change solely throughout Japanese European working hours strongly means that the menace actor works from one location, and with all likelihood belongs to an offensive cyber unit that deploys malicious operations in opposition to Ukraine.”
The event comes because the Laptop Emergency Response Staff of Ukraine (CERT-UA) attributed a damaging malware assault focusing on the Nationwide Information Company of Ukraine to the Russia-linked Sandworm hacking group.