ESET Analysis
ESET Analysis has carried out a complete technical evaluation of Gamaredon’s toolset used to conduct its cyberespionage actions centered in Ukraine
26 Sep 2024
•
,
5 min. learn
The warfare in Ukraine, which began in February 2014 and intensified with Russia’s invasion of the nation on February twenty fourth, 2022, exemplifies a multifaceted warfare, rife with disinformation campaigns and cyberwarfare. All through these years, ESET Analysis has revealed a number of high-profile cyberattacks carried out by Russia-aligned superior persistent risk (APT) teams concentrating on Ukrainian entities and Ukrainian audio system, analyzed varied operations, and saved observe of a number of APT teams specializing in this area due to the warfare.
On this analysis, we determined to look at the operations of Gamaredon, the Russia-aligned group that has been energetic since not less than 2013 and is presently probably the most engaged APT group in Ukraine. The depth of the bodily battle has noticeably elevated since 2022, but it surely’s price noting that the extent of exercise from Gamaredon has remained constant – the group has been methodically deploying its malicious instruments in opposition to its targets since properly earlier than the invasion started.
Now we have analyzed 1000’s of samples whereas conducting a complete technical evaluation of Gamaredon’s toolset used to conduct its cyberespionage actions in 2022 and 2023; we reveal the outcomes of our evaluation in our white paper, which you’ll be able to learn in full right here:
Within the white paper, we share particulars about Gamaredon’s ever-changing obfuscation tips and quite a few methods used for bypassing domain-based blocking. These techniques pose a major problem to monitoring efforts, as they make it tougher for methods to routinely detect and block the group’s instruments. Nonetheless, throughout our analysis, we managed to establish and perceive these techniques, and maintain observe of Gamaredon’s actions. We additionally describe the instruments which can be most prevalent or fascinating in another manner with the intention to shed extra mild on the relationships that exist among the many instruments and to assist create an even bigger image of the instruments’ ecosystem.
Victimology and group background
Gamaredon has been attributed by the Safety Service of Ukraine (SSU) to the 18th Middle of Data Safety of the FSB, working out of occupied Crimea. We consider this group to be collaborating with one other risk actor that we found and named InvisiMole.
As evidenced over time by ESET telemetry, in a number of studies from CERT-UA, and from different official Ukrainian our bodies, the vast majority of Gamaredon’s assaults are directed in opposition to Ukrainian governmental establishments. To our shock, in April 2022 and February 2023, we noticed just a few makes an attempt to compromise targets in a number of NATO nations, specifically Bulgaria, Latvia, Lithuania, and Poland, however no profitable breaches have been noticed.
Between November 1st, 2022 and December thirty first 2023, we noticed greater than a thousand distinctive machines in Ukraine that have been attacked by Gamaredon. The seven-day transferring common of day by day additions is visualized in Determine 1.
Determine 1. Seven-day transferring common of distinctive machines attacked in Ukraine
Noisy and reckless, however nonetheless harmful
To compromise new victims, Gamaredon conducts spearphishing campaigns after which makes use of its customized malware to weaponize Phrase paperwork and USB drives accessible to the preliminary sufferer and which can be anticipated to be shared with additional potential victims.
In line with our long-term observations, Gamaredon, in contrast to most APT teams, doesn’t attempt to be stealthy and stay hidden so long as potential by utilizing novel methods when conducting cyberespionage operations, however slightly the operators are reckless and don’t thoughts being found by defenders throughout their operations. Despite the fact that they don’t care a lot about being noisy, they apparently put in a number of effort to keep away from being blocked by safety merchandise and check out very onerous to take care of entry to compromised methods.
Usually, Gamaredon makes an attempt to protect its entry by deploying a number of easy downloaders or backdoors concurrently. The dearth of sophistication of Gamaredon instruments is compensated by frequent updates and use of repeatedly altering obfuscation.
A shift in direction of VBScript and PowerShell
Gamaredon’s toolset has undergone a number of modifications over time. In 2022, the group slowly began to shift towards the usage of VBScript and PowerShell in tandem, and Gamaredon virtually utterly ditched the usage of SFX archives, which had been its main tactic beforehand. Throughout 2023, Gamaredon notably improved its cyberespionage capabilities and developed a number of new instruments in PowerShell, with the deal with stealing helpful knowledge, for instance from internet functions working inside web browsers, e-mail shoppers, and immediate messaging functions comparable to Sign and Telegram.
Nevertheless, PteroBleed, an infostealer we found in August 2023, additionally focuses on stealing knowledge associated to a Ukrainian navy system and from a webmail service utilized by a Ukrainian governmental establishment. The timeline of recent instruments launched in 2022 and 2023 is proven in Determine 2; apart from PteroScreen, all of them have been found by ESET Analysis.
Determine 2. Timeline of recent instruments added to Gamaredon’s arsenal
Normally, we are able to categorize Gamaredon’s toolset into downloaders, droppers, weaponizers, stealers, backdoors, and advert hoc instruments. The group makes use of a mixture of general-purpose and devoted downloaders to ship payloads. Droppers are used to ship varied VBScript payloads; weaponizers alter properties of current information or create new information on linked USB drives, and stealers exfiltrate particular information from the file system. Moreover, backdoors function distant shells, and advert hoc instruments carry out particular features, like a reverse SOCKS proxy or payload supply utilizing the reputable command line program rclone.
Quick switching of C&C IP addresses and domains
Our evaluation additionally sheds mild on the group’s community infrastructure. Gamaredon makes use of a way referred to as quick flux DNS – steadily altering its command and management (C&C) servers’ IP addresses, often a number of instances per day, to keep away from IP-based blocking. The group additionally steadily registers and updates many new C&C domains to keep away from domain-based blocking, primarily utilizing .ru because the top-level area (TLD).
Gamaredon has additionally demonstrated resourcefulness by using varied methods to evade network-based detections, leveraging third-party providers comparable to Telegram, Cloudflare, and ngrok.
Regardless of the relative simplicity of its instruments, Gamaredon’s aggressive method and persistence make it a major risk. Given the continued warfare within the area, we count on Gamaredon to proceed in its deal with Ukraine.
For a extra detailed evaluation and technical breakdown of Gamaredon’s instruments and actions, you’ll be able to entry the complete ESET Analysis white paper right here.
A complete checklist of indicators of compromise (IoCs) could be present in our GitHub repository and the Gamaredon white paper.