EclecticIQ analysts found a publicly exposed SMTP web panel used by Gamaredon to automate spear-phishing campaigns targeting Ukrainian government entities, delivering malicious Word documents via RAR attachments and spoofed sender addresses. The operation shows strong Gamaredon overlap in TTPs and infrastructure, including pivot IPs and a second-stage payload hosted at erythrocephala.online. #Gamaredon #erythrocephala.online
Keypoints
- Gamaredon is linked to a spear-phishing campaign against Ukrainian government entities (SZRU and SSU) identified in February 2023.
- A publicly facing SMTP web panel enabled automated creation and distribution of spear-phishing emails with malicious attachments.
- Two spear-phishing emails used RAR archives to deliver the initial malware, with flows identical to prior Gamaredon campaigns.
- The Word documents exploit CVE-2017-0199 to achieve code execution, after which a second-stage malware is downloaded from erythrocephala.online.
- Misconfigured .htaccess and pivot IPs (many Moscow-based) reveal infrastructure ties to Gamaredon, including IPs associated with the actor and domain ownership.
- Observations align with established Gamaredon activity, suggesting continued use of social engineering and adaptive TTPs against Ukraine and NATO partners.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β The attacker used an exposed SMTP server to craft and deliver spear phishing emails containing a malicious attachment. Quote: βBoth of these emails contain a RAR archive file as an attachment, which are used to deliver the initial malware.β
- [T1203] Exploitation for Client Execution β The malicious Word document exploits a remote code execution vulnerability in Windows (CVE-2017-0199) to run code on the victimβs machine. Quote: βthe attachments exploit CVE-2017-0199, a Microsoft Office remote code execution vulnerability in Windows.β
- [T1105] Ingress Tool Transfer β After exploitation, the malware downloads a second-stage payload from an external domain (erythrocephala.online). Quote: βIf the exploitation is successful, then it will download a second-stage malware from the domain erythrocephala.online, which has been attributed to Gamaredon.β
Indicators of Compromise
- [IP] 194.180.191.56 β Publicly facing SMTP server used to craft and deliver spear-phishing emails.
- [IP] 109.200.159.40 β Pivot IP address found in .htaccess configuration.
- [IP] 109.200.159.59 β Pivot/author IP; referenced in VirusTotal linkage and X-Sender-IP metadata.
- [IP] 109.200.159.46 β Pivot IP; WHOIS records tie to a Gamaredon-linked registrant.
- [IP] 151.236.30.50 β Pivot IP address observed in server configuration.
- [IP] 192.121.87.11 β Pivot IP address observed in the exposed infrastructure.
- [Domain] erythrocephala.online β Domain hosting second-stage malware payload.
- [Domain] prokuratura.dp.ua β Hard-coded sender domain used by the web panel.
- [Domain] i.ua β Domain appearing in the From field to mislead recipients.
- [Hash] 5c66d34e0874e9c28f80f91c197a07db3acbdb22e7d822f669ef75d6db0f0044 β VirusTotal details related to the attached payload.
- [Hash] d282519a5f0134e5a3db91702a4aa3b1322081b42a50147d30d9e6deab0d8321 β VirusTotal details related to the attached payload.
- [CVE] CVE-2017-0199 β The vulnerability exploited by the Word document to achieve code execution.