The Russian state-sponsored cyber espionage group referred to as Gamaredon has continued its digital onslaught in opposition to Ukraine, with latest assaults leveraging the favored messaging app Telegram to strike navy and legislation enforcement sectors within the nation.
“The Gamaredon group’s community infrastructure depends on multi-stage Telegram accounts for sufferer profiling and affirmation of geographic location, after which lastly leads the sufferer to the following stage server for the ultimate payload,” the BlackBerry Analysis and Intelligence Crew mentioned in a report shared with The Hacker Information. “This sort of approach to contaminate goal programs is new.”
Gamaredon, additionally identified by names reminiscent of Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is understood for its assaults in opposition to Ukrainian entities since no less than 2013.
Final month, Palo Alto Networks Unit 42 disclosed the risk actor’s unsuccessful makes an attempt to interrupt into an unnamed petroleum refining firm inside a NATO member state amid the Russo-Ukrainian warfare.
Assault chains mounted by the risk actor have employed authentic Microsoft Workplace paperwork originating from Ukrainian authorities organizations as lures in spear-phishing emails to ship malware able to harvesting delicate info.
These paperwork, when opened, load a malicious template from a distant supply (a method known as distant template injection), successfully getting round the necessity to allow macros so as to breach goal programs and propagate the an infection.
The newest findings from BlackBerry reveal an evolution within the group’s ways, whereby a hard-coded Telegram channel is used to fetch the IP handle of the server internet hosting the malware. The IP addresses are periodically rotated to fly beneath the radar.
To that finish, the distant template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP handle specified within the Telegram channel to fetch the next-stage – a PowerShell script that, in flip, reaches out to a distinct IP handle to acquire a PHP file.
This PHP file is tasked with contacting one other Telegram channel to retrieve a 3rd IP handle that accommodates the ultimate payload, which is an information-stealing malware that was beforehand revealed by Cisco Talos in September 2022.
It is also price stating that the closely obfuscated VBA script is barely delivered if the goal’s IP handle is situated in Ukraine.
“The risk group modifications IP addresses dynamically, which makes it even more durable to automate evaluation by sandbox methods as soon as the pattern has aged out,” BlackBerry identified.
“The truth that the suspect IP addresses change solely throughout Japanese European working hours strongly means that the risk actor works from one location, and with all likelihood belongs to an offensive cyber unit that deploys malicious operations in opposition to Ukraine.”
The event comes because the Pc Emergency Response Crew of Ukraine (CERT-UA) attributed a damaging malware assault focusing on the Nationwide Information Company of Ukraine to the Russia-linked Sandworm hacking group.
