A in the past unknown danger actor has been seen copying the tradecraft related to the Kremlin-aligned Gamaredon hacking crew in its cyber assaults focused on Russian-speaking entities.
The marketing campaign has been attributed to a danger cluster dubbed GamaCopy, which is classed to percentage overlaps with any other hacking crew named Core Werewolf, additionally tracked as Awaken Likho and PseudoGamaredon.
In step with the Knownsec 404 Complicated Danger Intelligence group, the assaults leverage content material associated with army amenities as lures to drop UltraVNC, permitting danger actors to remotely get entry to the compromised hosts.
“The TTP (Techniques, Tactics, and Procedures) of this group imitates that of the Gamaredon group which conducts assaults towards Ukraine,” the corporate stated in a document printed ultimate week.
The disclosure arrives just about 4 months after Kaspersky published that Russian executive businesses and business entities were the objective of Core Werewolf, with the spear-phishing assaults paving the way in which for the MeshCentral platform as an alternative of UltraVNC.
The start line of the assault chain mirrors the only detailed via the Russian cybersecurity corporate in which a self-extracting (SFX) archive record created the usage of 7-Zip acts as a conduit to drop next-stage payloads. This features a batch script that is chargeable for handing over UltraVNC, whilst additionally exhibiting a decoy PDF file.
The UltraVNC executable is given the title “OneDrivers.exe” in a most likely effort to evade detection via passing it off as a binary related to Microsoft OneDrive.
Knownsec 404 stated the process stocks a number of similarities with Core Werewolf campaigns, together with the usage of 7z-SFX recordsdata to put in and execute UltraVNC, port 443 to hook up with the server, and the usage of the EnableDelayedExpansion command.
“Since its publicity, this group has regularly mimicked the TTPs utilized by the Gararedon group and cleverly used open-source equipment as a defend to reach its personal targets whilst complicated the general public,” the corporate stated.
GamaCopy is without doubt one of the many danger actors that experience centered Russian organizations within the wake of the Russo-Ukrainian struggle, corresponding to Sticky Werewolf (aka PhaseShifters), Project Wolf, and Paper Werewolf.
“Teams like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for his or her relentless phishing campaigns aimed toward information robbery,” Sure Applied sciences’ Irina Zinovkina stated.