- The researchers from Cybaze-Yoroi ZLAB identified this campaign after coming across a suspicious email.
- Gamaredon Group is known to target officials of the Ukranian government as well from those from the Ukranian military and law enforcement.
Security researchers from Cybaze-Yoroi ZLAB have unearthed a recent campaign associated with the Gamaredon Group. After analyzing an email sample from an attack, the researchers assert that the attack’s infection chain is a series of processes brought on by a password-protected self-extracting archive that has malicious Visual Basic Script or batch script.
Details from the analysis
- The email contained a malicious RAR archive attachment. A file with “.scr” extension resides in this archive which automatically extracts three files into the victim’s system. One of the files is a document which details a fictitious criminal charge written in Ukranian.
- Among the three password-protected files, an LNK file is used to establish persistence in the compromised system. The third file, “winupd.exe” is yet another self-extracting archive(SEA) which executes “setup.vbs” script. This schedules new tasks which collects all aspects of system information.
- Another SEA file called “jasfix.exe” emerges from the “winupd.exe”. This file drops a legitimate remote administration tool called UltraVNC, which is used to connect to a C2 server belonging to Gamaredon Group.
Low detection rate
The researchers observed that “.scr” file had a low detection rate on VirusTotal with only four antivirus software detecting it as malicious files. Among them, only one software detected it as a Gamaredon implant.
Infection chain remains same
“The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines,” the researchers indicated.
Gamaredon Group had earlier targeted Ukranian entities on April this year.