FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad

MITRE Techniques

• [T1082 ] System Information Discovery – The first-stage loader fingerprints the victim by collecting the computer name and disk serial number (‘retrieving the %COMPUTERNAME% and the hexadecimal serial number of the system drive’).
• [T1012 ] Query Registry – The malware checks multiple registry keys to locate cached C2 URLs and restore prior communications (‘it iterates through a specific sequence of registry keys to find an active URL’).
• [T1119 ] Automated Collection – The chain steals documents in transit, at rest, and while being edited in real time (‘steals documents whether they are stored, being transferred, or actively edited in real time’).
• [T1071.001 ] Web Protocols – C2 and payload retrieval are carried over HTTP GET traffic designed to blend in with normal web requests (‘the loader generates an HTTP GET request designed to blend with legitimate traffic’).
• [T1105 ] Ingress Tool Transfer – Payloads are fetched from remote C2/DDR infrastructure and executed on the host (‘fetches and executes the next stage’, ‘retrieval of another VBScript loader’).
• [T1218.005 ] System Binary Proxy Execution: Mshta – Not used in this article.
• [T1036 ] Masquerading – Randomized URL paths, extensions, and benign-looking User-Agent values are used to disguise malicious requests (‘dynamically generating random URL endpoints, filenames, and extensions’).
• [T1090.002 ] Proxy: External Proxy – The malware leverages third-party services as relays to resolve fresh C2 addresses (‘legitimate DDR services (Telegraph, Telegram, Check-Host)’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – The second stage creates a scheduled task for repeated execution (‘registers a scheduled task named WindowsApplicationDataDsSvcCleanup’).
• [T1027 ] Obfuscated Files or Information – The scripts use Base64, ROT13, XOR, and delimiter-based obfuscation to conceal payloads (‘Base64 encoding’, ‘ROT13 obfuscation’, ‘XOR-decrypts’).
• [T1055 ] Process Injection – Not explicitly described in the article.
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – The loaders are VBScript-based and executed with WScript (‘VBScript code’, ‘wscript.exe “%TEMP%:divedz0f”‘).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – The third stage spawns hidden PowerShell to run an encoded command (‘spawns a hidden PowerShell process’).
• [T1140 ] Deobfuscate/Decode Files or Information – The malware Base64-decodes, XOR-decrypts, and ROT13-deobfuscates content before execution (‘Base64 decoded and then decrypted via XOR’).
• [T1112 ] Modify Registry – The loaders write C2 values into registry keys to persist configuration (‘updates HKCUConsoleHistoryURL with this new address’).
• [T1070.004 ] File Deletion – Not explicitly described in the article.
• [T1564.004 ] Hide Artifacts: NTFS File Attributes – The dropper stores payloads in an Alternate Data Stream (‘writes it to an Alternate Data Stream (ADS) within %TEMP%’).
• [T1102 ] Web Service – The campaign uses Telegram, Telegraph, Cloudflare Workers, and Check-Host as dead-drop and C2 infrastructure (‘trusted third-party platforms’, ‘hosting C2 servers’).
• [T1573 ] Encrypted Channel – The article notes XOR decryption of retrieved payloads (‘decrypted via XOR using a hardcoded key’).