Threat Research

Gamaredon’s Cyberespionage Tactics: Analyzing the Toolset Used for Surveillance on Ukraine in 2022 and 2023

Securonix

ESET Research analyzes Gamaredon, a Russia-aligned APT focused on Ukraine, detailing their evolving toolset, aggressive ops, and obfuscation techniques to persist access. The study notes shifts toward VBScript and PowerShell, as well as evasion methods to evade blocks and C2 takedowns. Hashtags: #Gamaredon #Ukraine #VBScript #PowerShell #PteroBleed #InvisiMole #FastFluxDNS

Keypoints

  • Gamaredon has been active since at least 2013 and is heavily focused on Ukraine.
  • The group conducts spearphishing campaigns and uses custom malware for cyberespionage.
  • Gamaredon is known for its noisy operations and willingness to be discovered, while still maintaining access to compromised systems.
  • There has been a shift toward VBScript and PowerShell, with reduced use of SFX archives.
  • They employ fast flux DNS to evade IP-based blocking and frequently use third-party services like Telegram and Cloudflare for evasion.
  • Targets include Ukrainian governmental institutions, with some attempts in NATO countries ( Bulgaria, Latvia, Lithuania, Poland ) but no successful breaches observed.
  • The toolset comprises downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools, including PteroBleed (and PteroScreen in the timeline).

MITRE Techniques

  • [T1566] Phishing – Spearphishing campaigns to compromise new victims. ‘To compromise new victims, Gamaredon conducts spearphishing campaigns and then uses its custom malware to weaponize Word documents and USB drives accessible to the initial victim.’
  • [T1071] Command and Control – ‘fast flux DNS to frequently change C&C servers’ IP addresses’ and ’employs third-party services like Telegram and Cloudflare for evasion.’
  • [T1213] Data from Information Repositories – ‘Steals data from web applications, email clients, and messaging apps.’
  • [T1219] Remote Access Tools – ‘Uses backdoors to maintain access to compromised systems.’
  • [T1027] Obfuscated Files or Information – ‘Employs obfuscation techniques to bypass detection mechanisms.’

Indicators of Compromise

  • [Domain] C2 domains frequently updated, often with .ru TLD – examples not disclosed in article; see GitHub for IoCs
  • [Domain] C2-related domains used for evasion and fast flux DNS – examples not disclosed in article; see GitHub for IoCs
  • [File name] PteroBleed – infostealer mentioned in the article as part of the toolset
  • [File name] PteroScreen – tool in Gamaredon’s arsenal, not all tools were discovered by ESET

Read more: https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-way-analysis-toolset-used-spy-ukraine-2022-2023/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint