Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

Sept. 27, 2024, 5:46 p.m.

Description

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking.

External References

https://web-assets.esetstatic.com/wls/en/papers/white-papers/cyberespionage-gamaredon-way.pdf
https://otx.alienvault.com/pulse/66f6e8267bdf4b235698b737
Tags
apt
backdoors
stealers
2024-09-27

Date

  • Created: Sept. 27, 2024, 5:15 p.m.
  • Published: Sept. 27, 2024, 5:15 p.m.
  • Modified: Sept. 27, 2024, 5:46 p.m.

Indicators

  • 91.200.148.232
  • 89.23.107.188
  • 89.19.209.154
  • 89.185.84.204
  • 89.185.84.141
  • 80.90.181.107
  • 68.183.2.92
  • 62.133.62.73
  • 67.205.160.237
  • 5.252.178.140
  • 46.29.234.46
  • 212.18.104.56
  • 209.97.165.187
  • 195.133.88.128
  • 194.180.191.30
  • 188.166.247.34
  • 185.163.45.5
  • 167.172.139.39
  • 165.227.208.207
  • 164.92.115.188
  • 159.223.152.63
  • 143.198.160.45
  • 141.98.233.17
  • 185.225.19.16
  • 185.163.47.177
  • 161.35.106.28
  • 5.181.156.109
  • www.toorisugita.ru
  • login.kifales.ru
  • youdad.ru
  • using.ru
  • tolofa.ru
  • statuesque.ru
  • rieturc.ru
  • retarus.ru
  • opela.ru
  • nododru.ru
  • nikortal.ru
  • marginisbi.ru
  • loturam.ru
  • lokalut.ru
  • hulortad.ru
  • havxcq.ru
  • hakold.ru
  • goloser.ru
  • fritopa.ru
  • dfgqdsd.ru
  • consentesto.ru
  • amasiyagi.ru
  • absorbeni.ru
Download all indicators here!

Attack Patterns

  • PteroPowder
  • PteroClone
  • PteroSocks
  • PteroPShell
  • PteroScout
  • PteroBleed
  • PteroGram
  • PteroCookie
  • PteroSig
  • PteroSteal
  • PteroScreen
  • PteroVDoor
  • PteroPSDoor
  • PteroDig
  • PteroTemplate
  • PteroDoc
  • PteroLNK
  • PteroCDrop
  • PteroRisk
  • PteroDash
  • PteroSand
  • PteroX
  • PteroPSLoad
  • Gamaredon
  • T1132.001
  • T1074.001
  • T1025
  • T1053.005
  • T1539
  • T1113
  • T1047
  • T1027

Additional Informations

  • Government
  • Latvia
  • Bulgaria
  • Lithuania
  • Poland
  • Ukraine