Home Security Gamaredon Group Launches Cyberattacks Towards Ukraine Utilizing Telegram

Gamaredon Group Launches Cyberattacks Towards Ukraine Utilizing Telegram

by crpt os


Jan 20, 2023Ravie LakshmananCyber War / Cyber Attack

The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.

“The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload,” the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. “This kind of technique to infect target systems is new.”

Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults against Ukrainian entities since at least 2013.

Last month, Palo Alto Networks Unit 42 disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.

Attack chains mounted by the threat actor have employed legitimate Microsoft Office documents originating from Ukrainian government organizations as lures in spear-phishing emails to deliver malware capable of harvesting sensitive information.

These documents, when opened, load a malicious template from a remote source (a technique called remote template injection), effectively getting around the need to enable macros in order to breach target systems and propagate the infection.

The latest findings from BlackBerry demonstrate an evolution in the group’s tactics, wherein a hard-coded Telegram channel is used to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated to fly under the radar.

To that end, the remote template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP address specified in the Telegram channel to fetch the next-stage – a PowerShell script that, in turn, reaches out to a different IP address to obtain a PHP file.

This PHP file is tasked with contacting another Telegram channel to retrieve a third IP address that contains the final payload, which is an information-stealing malware that was previously revealed by Cisco Talos in September 2022.

It’s also worth pointing out that the heavily obfuscated VBA script is only delivered if the target’s IP address is located in Ukraine.

“The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out,” BlackBerry pointed out.

“The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine.”

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a destructive malware attack targeting the National News Agency of Ukraine to the Russia-linked Sandworm hacking group.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex