Security researchers from Cybaze-Yoroi ZLAB have unearthed a recent campaign associated with the Gamaredon Group. After analyzing an email sample from an attack, the researchers assert that the attack’s infection chain is a series of processes brought on by a password-protected self-extracting archive that has malicious Visual Basic Script or batch script.
Details from the analysis
Low detection rate
The researchers observed that “.scr” file had a low detection rate on VirusTotal with only four antivirus software detecting it as malicious files. Among them, only one software detected it as a Gamaredon implant.
Infection chain remains same
“The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines,” the researchers indicated.
Gamaredon Group had earlier targeted Ukranian entities on April this year.