Extensive Analysis of APT-C-53 (Gamaredon) Group's Attack Activities

Dec. 10, 2024, 2:33 p.m.

Description

APT-C-53 (Gamaredon), also known as Primitive Bear, Winterflounder, and BlueAlpha, is an active APT group since 2013 targeting government, defense, diplomacy, and media sectors. The analysis reveals their use of complex techniques including malicious LNK files, XHTML files, and sophisticated phishing campaigns. Their attack vectors include email attachments with compressed files containing malicious LNK files, XHTML files that download malicious payloads, and HTA files. The group employs various obfuscation techniques and leverages PowerShell scripts for persistence and communication with command and control servers. The malware also has capabilities to infect removable drives and maintain persistence through registry modifications.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505004&idx=1&sn=903d7e5ba2a23d6ecfbd81a1871a112c&chksm=f9c1e765ceb66e73a5b9d2e4b557ddd6564cc9528bd922a75af6760a1bd784c74e2ed7ce3ad3
https://otx.alienvault.com/pulse/67584e59edd5060c42fc5b5d
Tags
2024-12-10
gamaredon

Date

  • Created: Dec. 10, 2024, 2:21 p.m.
  • Published: Dec. 10, 2024, 2:21 p.m.
  • Modified: Dec. 10, 2024, 2:33 p.m.

Indicators

  • b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda
  • 5.181.159.32
  • wilderness-activists-gazette-purse.trycloudflare.com
  • painful-pam-noise-operating.trycloudflare.com
  • mind-apple-slightly-twiki.trycloudflare.com
  • isp-quotes-yemen-spectrum.trycloudflare.com
Download all indicators here!

Attack Patterns

  • APT-C-53 (Gamaredon)
  • T1021.001
  • T1073
  • T1091
  • T1059.001
  • T1547.001
  • T1012
  • T1082
  • T1071
  • T1204
  • T1140
  • T1027
  • T1566

Additional Informations

  • Media
  • Defense
  • Government