gamaredon

Gamaredon Targeting Ukraine With Timely

Recently, researchers discovered an attack against Ukrainian government officials. The activity first appeared in January 2021 and lasted at least until late March. The used decoy documents related to current affairs topics. The purpose of the malicious activity is not yet clear. The researchers attributed it to the Russian-sponsored Gamaredon cyber espionage group with high confidence.


Most of the content of the decoy document is written in Ukrainian, and only a few parts are written in Russian. This document attempts to download remote template .dot files through template injection. The content of the document involves Ukrainian government agencies and public entities as well as Russian intelligence agencies. The specific names of related individuals and entities from January to mid-March of 2021 are used in the document to make the malicious files appear more legitimate.

The chain of infection observed by the researchers is as follows:

gamaredon

The report coincided with the escalation of tensions between the two countries, and at the same time Russian troops were gathering along the Ukrainian border.

The researchers said that the target of this attack is not clear, because the remote template domain used by the decoy document was closed when it was discovered, and it is not clear what the final payload of the campaign is.

IOCs

172.67.136[.]62
104.21.48[.]186
185.119.58[.]61
131.107.255[.]255
195.161.114[.]130


http://download[.]logins
http://download.logins[.]online/
http://download[.]logins.online/wsusa
http://email-smtp[.]online/
http://email-smtp[.]online/preceding/
http://email-smtp[.]online/preceding/rbfwaljtawm.dot
http://word-expert[.]online/
http://word-expert[.]online/september/
http://word-expert[.]online/september/jtfqxxhzqaw.dot
http://melitaeas[.]online
http://melitaeas[.]online/4857E18C/countryside/prevent/
http://melitaeas[.]online/4857E18C/countryside/prevent/counter.dot
http://hamadryas[.]online
http://hamadryas[.]online/4857E18C/almost/councilman/rejoice/
http://hamadryas[.]online/4857E18C/almost/councilman/rejoice/clank.dot
http://acetica[.]online
http://acetica[.]online/header/precaution/precisely.dot
http://acetica[.]online/presently/refuge/intention.dot
http://acetica[.]online/intent/sense/guarded.dot
http://mail-check[.]ru
http://mail-check[.]ru/preservation/quietly/seedlings.dot
http://mail-check[.]ru/refrigerator.dot
http://mail-check[.]ru/prediction.dot
http://mail-check[.]ru/pre.dot
http://mail-check[.]ru/barrier.dot
http://office360-expert[.]online
http://office360-expert[.]online/intake
http://office360-expert[.]online/intake/pfJwhBY.dot


f8af71e85f5bee6b3fee2fcfd15da893
3182b68be6c01537d466415d4eda7933
5db3abc526fc334034f30e988a10c02a
655f383e817a989e3114250232d0cd07
4f784000504f8adc2a77c9908a209c2d
9985bd33a8d129aba66feb1dd553fd22
c32ade7f29dcf2dfa166aa44bea8980b
7b62f40f5986be36f783863fa45a9946
c36939365d244081d6860f42779a1503
f37095018deff37c70065ed5cf37e06b
a9260f7ae7939637b9ae43dec8e03abb
b55956fbc3cda1481c07fe08ce254706
fa882c526ba36ec4219698ab6e64e699
8e6a988814519656b90f109ac61ee84b
214962b4199bd07019b3dc34396e03ff
bb068a9cf83196b51d79fdafab7d8fe184584ffa
2694bc6dfcab82d027d1f2359778d5f3ba7a819c
300ab6327857d9643e1369a3f5ea4e3db30a0bee
5ec4eca2b58a6ea74bb3706abb98c00c13368925
61a673c51cac2a8f5de1cdd1c78357ca49e739f6
6caaea84ffa2295b9e458901126a2b407aea3062
460e78674e6949fd1dc68d4ccb36b27b10098c40
f7e70c94df0d86b5fab16c0e260f62ba98209f06
2eb237a3fb7e03709f92f0fafe857155adfb9518
1c031f8323d9230d54b6cdb89a4a7430a86fbb38
2dd8c829591425089353e8581ec4c0eb791c03ba
9e1a0c7f3cc67a803c9bd8ae7a79719943e895b8
0da150a3c69abe20d9178732d5497bef861a7225
c63930fbad99a070909014f04f563156e56117a4
393b1a91cad16eeaf3c3fa6490e3e3f5c07a1c43
82fe93b52ae5f12fad99fc533324cbf680f5777cc67b9f30dd2addeeee7527f8
d5d080a96b716e90ec74b1de5f42f26237ac959da9af7d09cce2548b5fc4473d
e7f61cd965886e1ca75d5bd3d3140ce7c78c78c245d57c285af83711148b7472
9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418
4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52
e12c6b63c6216338aa645b63f589d2e96e868f9b1f6402520649cfeb7c053c83
f25f4a78760bf0644c06814a3439b772610d7d62f6c5efde8fb314cc58697b01
63da0b2abb744a5c92c3a1fff2c3e5940f5c969890f3f16fd8dca0a1363da494
41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4
fe3141950fe263f50edd8a202fe746dac736dcef91331cd4375d3ede27d5530a
de1df653ca846cc3b01239c9e16c80cee52c01c921a0e8e34c2e5d4425eee715
0600f4be4dc7fe5ba4e226b797888667f5dd6138734a6333da697346e897c216
611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608
8fbea49a8b26889e9157ace2003334f56e3de7020cb099d3948df676539eb4a3
e48fc5ce578d938320f9bce496015247b8c52bee04d851f44270bef8bf831696