Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023
Sept. 27, 2024, 5:46 p.m.
Description
This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 27, 2024, 5:15 p.m. | Sept. 27, 2024, 5:15 p.m. | Sept. 27, 2024, 5:46 p.m. |
Indicators
www.toorisugita.ru
Attack Patterns
PteroPowder
PteroClone
PteroSocks
PteroPShell
PteroScout
PteroBleed
PteroGram
PteroCookie
PteroSig
PteroSteal
PteroScreen
PteroVDoor
PteroPSDoor
PteroDig
PteroTemplate
PteroDoc
PteroLNK
PteroCDrop
PteroRisk
PteroDash
PteroSand
PteroX
PteroPSLoad
Gamaredon
T1132.001
T1074.001
T1025
T1053.005
T1539
T1113
T1047
T1027
Additional Informations
Government
Latvia
Bulgaria
Lithuania
Poland
Ukraine