Summary: A deep-dive analysis by HarfangLab reveals new insights into Gamaredon, a Russian cyberespionage group, focusing on their use of PteroLNK, a stealthy VBScript malware. The report outlines how Gamaredon utilizes obfuscation, deceptive shortcut files, and intricate persistence mechanisms to evade detection and maintain access to Ukrainian systems. The group’s innovative approach includes the use of Cloudflare Tunnels for dynamic command-and-control communications, enhancing their operational stealth.
Affected: Ukrainian government and military personnel
Keypoints :
- Gamaredon’s PteroLNK malware is designed for stealth, deploying its components from hidden paths and using base64-encoded payloads.
- The malware exploits registry keys to manage command-and-control connections and can fall back on benign sites for updating its C2 URLs.
- Shortcut files are used as a propagation method, mimicking legitimate documents to encourage user interaction and lateral movement.
- Cloudflare Tunnels facilitate rapid infrastructure rotation and avoid detection by not embedding static C2 addresses.
- Attribution to Gamaredon is supported by consistent naming conventions, use of known C2 domains, and a focus on military-themed lure files.
Source: https://securityonline.info/gamaredons-pterolnk-malware-stealthy-espionage-tactics-uncovered/