The Russian-linked Gamaredon APT, aka Aqua Blizzard or Primitive, is performing yet another series of phishing attacks against Ukrainian government agencies. As CERT-UA continues to monitor and track the activities of this notorious group, a new fact regarding its data-stealing ability has come to light.
What are the findings?
In the ongoing campaign, Gamaredon has displayed exemplary skills in pilfering data from targeted systems within an hour of the attack. The campaign is aimed at entities in Ukraine, including security services, military, and government organizations.
- Once the malicious document is launched on the targeted system, the attackers will take between 30 and 50 minutes to pilfer the sensitive data.
- In some cases, the legitimate AnyDesk software application was leveraged to launch PowerShell and steal data by gaining remote access to computers.
- Gamaredon is interested in the theft of files with specific extensions such as .doc, .xls, .docs, .xlsx, .rtf, .txt, .jpg, .jpeg, and .zip.
- CERT-UA, furthermore, reported that threat actors were observed planting as many as 120 malicious files per week on the compromised system to maintain persistence, and in some cases, to allow re-infection.
Other facts
- The group has also been evolving its tactics, making use of USB flash drives to propagate malware. This is a notable tactic implemented by attackers as researchers report a three-fold increase in malware distribution via USB drives.
- Furthermore, they are taking constructive measures to avoid detection at the network level.
- During the day, the IP addresses of intermediate control nodes change 3 or 6 times, indicating that the attackers are relying on automation as part of their attack process.
Wrapping up
It is advised that organizations must adopt real-time threat alerting and threat insight sharing solutions to stay updated about new tactics and techniques adopted by Gamaredon APT. Furthermore, they can leverage IOCs associated with the attackers to gain tactical intelligence, enabling organizations to bolster their defense.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8347_shutterstock_2293693179.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/948c_shutterstock_2122319639.jpg)
