Today > vulnerabilities   -   You can now download lists of IOCs here!

Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

Sept. 27, 2024, 5:46 p.m.

Tags
apt
backdoors
stealers
2024-09-27
External References
Description

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking.

Date

Published: Sept. 27, 2024, 5:15 p.m.

Created: Sept. 27, 2024, 5:15 p.m.

Modified: Sept. 27, 2024, 5:46 p.m.

Indicators

91.200.148.232

89.23.107.188

89.19.209.154

89.185.84.204

89.185.84.141

80.90.181.107

68.183.2.92

62.133.62.73

67.205.160.237

5.252.178.140

46.29.234.46

212.18.104.56

209.97.165.187

195.133.88.128

194.180.191.30

188.166.247.34

185.163.45.5

167.172.139.39

165.227.208.207

164.92.115.188

159.223.152.63

143.198.160.45

141.98.233.17

185.225.19.16

185.163.47.177

161.35.106.28

5.181.156.109

www.toorisugita.ru

login.kifales.ru

youdad.ru

using.ru

tolofa.ru

statuesque.ru

rieturc.ru

retarus.ru

opela.ru

nododru.ru

nikortal.ru

marginisbi.ru

loturam.ru

lokalut.ru

hulortad.ru

havxcq.ru

hakold.ru

goloser.ru

fritopa.ru

dfgqdsd.ru

consentesto.ru

amasiyagi.ru

absorbeni.ru

Download all indicators here!

Attack Patterns

PteroPowder

PteroClone

PteroSocks

PteroPShell

PteroScout

PteroBleed

PteroGram

PteroCookie

PteroSig

PteroSteal

PteroScreen

PteroVDoor

PteroPSDoor

PteroDig

PteroTemplate

PteroDoc

PteroLNK

PteroCDrop

PteroRisk

PteroDash

PteroSand

PteroX

PteroPSLoad

Gamaredon

T1132.001

T1074.001

T1025

T1053.005

T1539

T1113

T1047

T1027

Additional Informations

Government

Latvia

Bulgaria

Lithuania

Poland

Ukraine