gamaredon

Analysis of Gamaredon Campaigns

security researchers said that the Gamaredon Group related to Russia provides services to other Groups. The Group has been active since 2013. Although the Group has been exposed many times in the past, it continues to act and collect information on predetermined targets and share data with other APT Groups.

The techniques used by Gamaredon are common in the crime software world, including the use of Trojan horse installers, self-extracting files, spam with malicious payloads, template injection, etc.

In addition, Gamaredon operates an infrastructure that includes more than 600 active domain names. These infrastructures are used as the first phase of command and control (C&C). In one event, observed approximately 1,700 IPs from 43 different countries address.

gamaredon avoided countries

It is very different from other APTs. When examining several battles in Gamaredon, we can see that their victimology is not limited to countries/regions such as Ukraine or the United States. We believe that Gamaredon is particularly interested in Ukrainian targets because most of the malicious emails and documents they use are written in Russian, trying to imitate official documents of the Ukrainian government. However, as shown in the figure below, Gamaredon’s history can be traced back to January 1, 2021.

gamaredon victim map

As often happens in the Gamaredon campaign, this campaign also uses template injection in the Word document as the initial attack vector, usually through spear emails to send emails to the victims.

gamaredon template injection

The template file contains an embedded VBA macro that will decode the base64 string and write it into the VBS script file, and then execute the VBS.

This is the first stage of malware. First check whether the second stage is running, if it is running, terminate all the second stage related processes.

gamaredon vba

IOCs

http[:]//email-smtp.online/headlight/oSaSSsECyqR.dot
http[:]//email-smtp.online/preceding/RbfwAlJtAwm.dot
http[:]//email-smtp.online/present/VhhJHnvBBFA.dot
http[:]//email-smtp.online/sequence/hjnerkXCXrc.dot
http[:]//inula.ru/HMGZHUG/VWEQNRH/INDEX.HTML


63cf9b478dc3761ad0b0c51b76933266
e49868b782af915588e45fa67807331a
25774252fa4945e7106ba5f3d7a328d8
6cc602c79e906a64af6c30581ca77906
04490fb43c9adbfdee9d7918e3db0af5
2b1196c1773a5bffdff22dffcf9730e5
d00a937b8d71e7dcfd49e03071fdee2543598b96
d95d5c00f2cb042f04e7e0247c170719dd396bbe
eca31ab27cf6134040644d2b57a6d46c8b552e98
82d029d72be2e2c75551b52e8e4af7052bdc275d
bce3c7593675c171d03bfffd5d66981b14cf8e66
6f992c9facc2cd8cfeae95ab96ed4ef3428362e7
8babd686e005bad396b841bbe0399e5297771f68e1355f33ed0ab704b59efe06
db2fdaa59cc7c6bc7bed412ba5638bde7611a204e04e1b13c3e5435542839af1
940ed99abb8a1d9dd7269ebb27f34605bd715dcc45d75f17ad059139219e6dc0
36ed18f16e5d279ec11da50bd4f0024edc234cccbd8a21e76abcfc44e2d08ff2
81bdc709be19af44a1acc7c6289ed0212d214a7d0e5ffd4c35d3fa0b87401175
1ed5ddaa41046437ac9b6fe7b3719f89fd51c12b4b26c651876184613a018cdd