A known Russian threat group is targeting Ukrainian organizations with a new info-stealing malware in an espionage campaign. The infostealer uses lures related to the recent Russian attack on Ukraine.

Modus operandir

Researchers from Cisco Talos linked the campaign to the Russian state-backed threat group Gamaredon, which is known for targeting entities in the Ukrainian government, critical infrastructure, security, defense, and law industries.
  • Researchers claim that Gamaredon’s new infostealer is capable of stealing files from attached storage devices (local and remote). 
  • The infostealer could be a component of Gamaredon’s Giddome backdoor family, however, researchers could not confirm the same.
  • It comes with clear instructions to steal files with the following extensions: .DOC, .XLS, .RTF, .DOCX, .ODT, .TXT, .JPEG, .PDF, .JPG, .PS1, .ZIP, .7Z AND, .RAR, and .MDB. 
  • Moreover, while performing recursive enumeration of files in directories, the stealer avoids system folders and focuses on files of interest.

How does it spread?

The infostealer is spread using a PowerShell script similar to one mentioned in a recent alert posted by Ukraine CERT regarding Gamaredon’s intrusions during H1 2022.
  • The malware is delivered via phishing emails laden with Office documents with malicious VBS macros.
  • It makes POST requests with metadata and its content with each stolen file.
  • It can download more files from the C2 server that delivers instructions on delivered data treatment.

The infostealer was added to the Virus Total database over a month ago and detected by 50 antivirus engines.

Conclusion

The Gamaredon threat group is active and using the new infostealer  to target Ukrainian entities. However, the researchers have provided a list of IoCs regarding the new infostealer to stay protected from such espionage campaigns of Gamaredon.
Cyware Publisher

Publisher

Cyware