FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Initial delivery is likely via malicious email attachments containing the xHTML lure and archive (‘likely delivered as an attachment to a spearphishing email’)
• [T1189 ] Drive-by Compromise / Lure Document Execution – The xHTML page is opened to display a fake downloaded document and trigger the malicious chain (‘DOCUMENT DOWNLOADED’)
• [T1036 ] Masquerading – The archive uses fake authentication and legitimate-looking URLs to appear benign (‘adds www.bbc.com, to appear legitimate’)
• [T1027 ] Obfuscated Files or Information – The HTA, VBScript, and worm code are heavily junk-filled and obfuscated (‘approximately 90% of junk and obfuscated code’)
• [T1059.005 ] Visual Basic – Gamaredon uses VBScript loaders and worm logic for execution (‘executes mshta.exe… load a remote payload’)
• [T1059.001 ] PowerShell – GammaSteel is described as a modular PowerShell stealer (‘a modular PowerShell stealer’)
• [T1055 ] Process Injection – Not explicitly process injection, but remote execution is achieved by launching system utilities to run remote code (‘mshta.exe… execute the content of this file’)
• [T1204.002 ] Malicious File – Archive – The malicious RAR archive is manually opened by the victim to continue execution (‘user must manually open the downloaded RAR archive’)
• [T1074.001 ] Local Data Staging – GammaSteel stages modules entirely in the Windows registry before use (‘stages itself entirely within the Windows registry’)
• [T1112 ] Modify Registry – Multiple registry keys are written to store C2, persistence, and visibility changes (‘writes… registry entry’, ‘modify Explorer registry settings’)
• [T1053.005 ] Scheduled Task – GammaWorm creates scheduled tasks for persistence and module execution (‘creates scheduled tasks’)
• [T1091 ] Replication Through Removable Media – The worm spreads via USB drives and creates copies on them (‘specifically targets USB and network drives’)
• [T1021.002 ] SMB/Windows Admin Shares – Network drives and shares are targeted for propagation (‘targets network shares and USB drives’)
• [T1547.001 ] Registry Run Keys / Startup Folder – The HTA is dropped into Startup and RunOnce is used for persistence (‘Start MenuProgramsStartup’, ‘RunOnceExplorerGuard’)
• [T1218.005 ] Mshta – mshta.exe is used to execute remote content from a URL (‘mshta.exe… remote payload’)
• [T1105 ] Ingress Tool Transfer – The malware fetches payloads from C2 servers and public hosting services (‘fetch and execute arbitrary VBScript payloads’)
• [T1132.001 ] Data Encoding – Base64 – Payloads are embedded and decoded from Base64 (‘Base64-encoded RAR archive’, ‘decodes the content from Base64’)
• [T1568.003 ] Dynamic Resolution: Distributed Web Services – Dead drop resolvers use Telegram, Cloudflare, Supabase, and similar services (‘uses Dead Drop Resolvers… Telegram or Cloudflare’)
• [T1021 ] Remote Services – Gamaredon’s infrastructure enables remote execution and operator control over compromised systems (‘arbitrary remote code execution’)
• [T1070.004 ] File Deletion – The RunOnce persistence is removed by Windows after execution, but recreated by the malware (‘it will be deleted immediately after the command is launched’)
• [T1119 ] Automated Collection – GammaSteel monitors files, drives, and USB insertions for exfiltration (‘real-time surveillance of specific files’)
• [T1560 ] Archive Collected Data – Targeted files are exfiltrated to cloud storage after collection (‘exfiltrated to an S3-compatible cloud storage provider’)
• [T1140 ] Deobfuscate/Decode Files or Information – The worm removes markers and Base64-decodes fetched code before execution (‘removing carriage returns and operator-inserted && markers’)