By: Denise Simon | Founders Code
The Windows maker’s Threat Intelligence Center (MSTIC) is tracking the cluster under the moniker ACTINIUM (previously as DEV-0157), sticking to its tradition of identifying nation-state activities by chemical element names.
The Ukrainian government, in November 2021, publicly attributed Gamaredon to the Russian Federal Security Service (FSB) and connected its operations to the FSB Office of Russia in the Republic of Crimea and the city of Sevastopol. Details.
The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.
The discovered attack appears to be designed to lure military personnel: it leverages a legit document of the “State of the Armed Forces of Ukraine” dated back on the 2nd April 2019. Source
For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.
There are several outside government cyber experts that are reporting much the same as Microsoft as noted here.
Source: While Gamaredon has mainly targeted Ukrainian officials and organizations in the past, the group attempted an attack on January 19 that aimed to compromise a Western government “entity” in Ukraine, researchers at Palo Alto Networks’ Unit 42 organization reported Thursday. Gamaredon leadership includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously.
Microsoft threat researchers released their own findings on Gamaredon in the blog post today, disclosing that the group has been actively involved in a malicious cyber activity in Ukraine since October 2021.
While the hacker group has been dubbed “Gamaredon” by Unit 42, Microsoft refers to the group by the name “Actinium.”
“In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations,” the threat researchers said in the post. “MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage.”
Tactics used frequently by the group include spear-phishing emails with malicious macro attachments, resulting in the deployment of remote templates, the researchers said. By causing a document to load a remote document template with malicious code—the macros—this “ensures that malicious content is only loaded when required (for example, when the user opens the document),” Microsoft said.
“This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content,” the researchers said. “Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”
The Microsoft researchers report that they’ve observed numerous email phishing lures used by Gamaredon, including those that impersonate legitimate organizations, “using benign attachments to establish trust and familiarity with the target.”
In terms of malware, Gamaredon uses a variety of different strains—the most “feature-rich” of which is Pterodo, according to Microsoft. The Pterodo malware family brings an “ability to evade detection and thwart analysis” through the use of a “dynamic Windows function hashing algorithm to map necessary API components, and an ‘on-demand’ scheme for decrypting needed data and freeing allocated heap space when used,” the researchers said.
Meanwhile, the PowerPunch malware used by the group is “an agile and evolving sequence of malicious code,” Microsoft said. Other malware families employed by Gamaredon include ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown.
‘Very agile threat’
Gamaredon “quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later,” the Microsoft researchers said. “These are fast-moving targets with a high degree of variance.”
Payloads analyzed by the researchers show a major emphasis on obfuscated VBScript (Visual Basic Script), a Microsoft scripting language. “As an attack, this is not a novel approach, yet it continues to prove successful as antivirus solutions must consistently adapt to keep pace with a very agile threat,” the researchers said.
Unit 42 had reported Thursday that Gamaredon’s attempted attack against a western government organization in January involved a targeted phishing attempt.
Instead of emailing the malware downloader to their target, Gamaredon “leveraged a job search and employment service within Ukraine,” the Unit 42 researchers said. “In doing so, the actors searched for an active job posting, uploaded their downloader as a resume, and submitted it through the job search platform to a Western government entity.”
Due to the “steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization,” Unit 42 said in its post.
Unit 42 has said it’s not identifying or further describing the western government entity that was targeted by Gamaredon.
No connection to ‘WhisperGate’ attacks
The attempted January 19 attack by Gamaredon came less than a week after more than 70 Ukrainian government websites were targeted with the new “WhisperGate” family of malware.
However, the threat actor responsible for those attacks appears to be separate from Gamaredon, the Microsoft researchers said in the post today. The Microsoft Threat Intelligence Center “has not found any indicators correlating these two actors or their operations,” the researchers said.
The U.S. Department of Homeland Security (DHS) last month suggested it’s possible that Russia might be eyeing a cyberattack against U.S. infrastructure, amid tensions between the countries over Ukraine.
Estimates suggest Russia has stationed more than 100,000 troops on the eastern border of Ukraine. On Wednesday, U.S. President Joe Biden approved sending an additional 3,000 U.S. troops to Eastern Europe.