Extensive Analysis of APT-C-53 (Gamaredon) Group's Attack Activities
Dec. 10, 2024, 2:33 p.m.
Tags
External References
Description
APT-C-53 (Gamaredon), also known as Primitive Bear, Winterflounder, and BlueAlpha, is an active APT group since 2013 targeting government, defense, diplomacy, and media sectors. The analysis reveals their use of complex techniques including malicious LNK files, XHTML files, and sophisticated phishing campaigns. Their attack vectors include email attachments with compressed files containing malicious LNK files, XHTML files that download malicious payloads, and HTA files. The group employs various obfuscation techniques and leverages PowerShell scripts for persistence and communication with command and control servers. The malware also has capabilities to infect removable drives and maintain persistence through registry modifications.
Date
Published: Dec. 10, 2024, 2:21 p.m.
Created: Dec. 10, 2024, 2:21 p.m.
Modified: Dec. 10, 2024, 2:33 p.m.
Indicators
b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda
5.181.159.32
wilderness-activists-gazette-purse.trycloudflare.com
painful-pam-noise-operating.trycloudflare.com
mind-apple-slightly-twiki.trycloudflare.com
isp-quotes-yemen-spectrum.trycloudflare.com
Attack Patterns
APT-C-53 (Gamaredon)
T1021.001
T1073
T1091
T1059.001
T1547.001
T1012
T1082
T1071
T1204
T1140
T1027
T1566
Additional Informations
Media
Defense
Government