Microsoft shared new information on Gamaredon, also known as ACTINIUM, which has been responsible for a plethora of spear-phishing attacks against Ukrainian organizations since October 2021. The gang has been active for at least a decade and has consistently targeted Ukrainian entities or organizations related to Ukrainian affairs. 

Diving into details

The cyberespionage campaign was being conducted from Crimea, indicating that the hackers are officers of the Russian FSB. ACTINIUM has attacked organizations in the military, government, NGO, law enforcement, non-profit, and judiciary sectors in Ukraine. The primary goals of the group include pilfering sensitive information, maintaining access, and using it to laterally move inside organizational networks. 

About the campaign

  • One of the techniques used by Gamaredon was sending spear-phishing emails containing malicious macro as attachments that use remote templates. 
  • Some of the phishing lures include masquerading as legitimate organizations, leveraging harmless attachments to establish trust with the target.
  • The attachments consisted of a first-stage payload that downloaded and executed other payloads. 
  • Several staging scripts were found before a fully-featured malicious functionality was dropped in the infected device. 
  • The infection chain delivers multiple binaries, such as PowerPunch, Pterodo, and QuietSieve. 

Why this matters

  • The Microsoft team hypothesized that multiple stages exist to stage VBScripts that are easier to alter to infuse new obfuscation or C2 changes.
  • It is also surmised that the scripts are deployed so that detection systems are less likely to identify the main functionalities.
  • The primary aim of the malicious activities is to collect intelligence by maintaining persistence. 
  • Pterodo is the most feature-rich malware family used in attacks by ACTINIUM, while QuietSieve is mainly used for monitoring and file extraction. 

The bottom line

Since October last year, Gamaredon has targeted and compromised accounts at organizations responsible for emergency response and guaranteeing the security of Ukraine. It has, moreover, targeted organizations critical to coordinating the allocation of humanitarian and international resources to Ukraine in a crisis. However, the gang is not responsible for the recent attacks against Ukrainian government agencies and corporate entities with a wiper malware, disguised as ransomware. As international tensions between Russia and Ukraine keep surmounting, ACTINIUM’s operations are likely to continue, and hence, it is crucial to conduct research into the adversary's TTPs and implement proper defenses.
Cyware Publisher