Threat Research

FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel

SekoiaIO
FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel
Gamaredon, an FSB-operated Russian intrusion set, uses a highly obfuscated, fileless PowerShell stealer called GammaSteel to target Ukrainian organizations and exfiltrate documents through legitimate cloud services and fallback operator-controlled infrastructure. The campaign adds a new DPAPI-based registry-staging technique, USB propagation, real-time file surveillance, and Dead Drop Resolver-based configuration recovery to maintain persistent access and evade analysis. #Gamaredon #GammaSteel #DPAPI #Sekoia #Tebi.io #Telegram #Mastodon

Keypoints

  • Gamaredon is a long-running Russian cyberespionage group tied to the FSB and focused on Ukrainian government, military, and critical infrastructure targets.
  • The report introduces a unified naming taxonomy for the group’s malware families, including GammaPhish, GammaLoad, GammaWorm, GammaSteel, and GammaWipe.
  • GammaSteel is a PowerShell stealer that stores 71 encrypted functions in the HKCUPrinters registry key and uses DPAPI for user-bound decryption.
  • The stealer collects documents from three states: at rest via scheduled drive scans, in transit via USB monitoring, and in use via real-time file watching.
  • Exfiltration primarily uses S3-compatible storage on Tebi.io, with fallback uploads to operator-controlled servers that can also deliver VBScript for remote execution.
  • Gamaredon relies on Dead Drop Resolvers and legitimate platforms such as Telegram, Telegra.ph, Write.as, Rentry.co, Mastodon, and Supabase to rotate configuration and infrastructure.
  • The campaign heavily abuses native Windows features, registry staging, VBScript, and hidden PowerShell processes to stay persistent and difficult to analyze.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job: Scheduled Task – Establishes persistence by writing a PowerShell command into the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun key to relaunch the orchestrator at startup (‘installs a task designed to relaunch the orchestrator upon system startup’).
  • [T1547.001] Registry Run Keys / Startup Folder – Uses the Run key as persistence and stores staged payload pointers in HKCUPrinters (‘it writes a specific PowerShell command into the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun key’).
  • [T1112] Modify Registry – Stores encrypted PowerShell functions and configuration data inside HKCUPrinters and repeatedly reads/writes registry values (‘storage of 71 encrypted functions within the HKCUPrinters registry key’).
  • [T1027] Obfuscated Files or Information – Obfuscates PowerShell and VBScript with Base64, XOR, junk code, and randomized variables (‘The code employs Base64 encoding combined with a XOR cipher’).
  • [T1027.009] Embedded Payloads – Embeds and unpacks staged code directly into memory and the registry (‘unpacking of embedded payloads’).
  • [T1140] Deobfuscate/Decode Files or Information – Decodes Base64 strings and applies XOR to recover executable content (‘decoding Base64 strings and applying a second XOR operation’).
  • [T1005] Data from Local System – Searches local and network drives for documents and steals files from the victim host (‘recurring scans of local and network drives’).
  • [T1217] Browser Session Cookie? – Not mentioned in the article.
  • [T1057] Process Discovery – Enumerates Windows profiles and drives before targeting data (‘it queries the WMI class with gwmi win32_userprofile’).
  • [T1083] File and Directory Discovery – Scans drives, shares, and user folders to locate targeted files (‘map all available local hard disks and network shares for static files’).
  • [T1120] Peripheral Device Discovery – Detects USB mass storage devices and reacts to insertions (‘Register-WmiEvent … where TargetInstance.DriveType = 2’).
  • [T1036] Masquerading – Uses benign-looking paths, hidden windows, and plausible values to blend in (‘using the operating system name … as the value name to blend in’).
  • [T1095] Non-Application Layer Protocol – Uses HTTP PUT/POST channels to upload stolen data and receive commands (‘The data is then systematically uploaded’).
  • [T1105] Ingress Tool Transfer – Retrieves staged payloads, configurations, and VBScript code from remote infrastructure (‘read the HTTP response to execute any arbitrary VBScript code’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 and storage services over HTTP/S to upload files and fetch DDR content (‘HTTP PUT request to an S3-compatible object storage service’).
  • [T1102.002] Web Service: Bidirectional Communication – Uses public services such as Telegram, Mastodon, Rentry.co, and Write.as to retrieve infrastructure data (‘Dead Drop Resolvers’).
  • [T1567.002] Exfiltration to Cloud Storage – Uploads stolen files to Tebi.io and other S3-compatible cloud endpoints (‘uploaded to legitimate S3-compatible cloud storage’).
  • [T1052.001] Exfiltration Over Physical Medium – Copies files from USB devices to a hidden staging folder for later upload (‘replication’ from external USB drive to the host system drive).
  • [T1056.001] Keylogging – Not mentioned in the article.
  • [T1204.002] User Execution: Malicious File – Decoy or staged files are used to trigger execution of embedded content (‘host a decoy PDF file embedded with malicious VBScript’).
  • [T1218.005] System Binary Proxy Execution: Mshta – Not mentioned in the article.
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Executes the infection chain, payload staging, persistence, and exfiltration logic in PowerShell (‘the script is an obfuscated PowerShell script’).
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Executes returned VBScript payloads with wscript.exe (‘execute it using wscript.exe … //e:vbscript //b’).
  • [T1113] Screen Capture – Not mentioned in the article.
  • [T1041] Exfiltration Over C2 Channel – Falls back to operator-controlled servers for exfiltration and command delivery (‘fallback C2 channel operates bidirectionally’).
  • [T1070.004] File Deletion – Deletes local staging copies after successful upload (‘the local copy file in the staging folder is deleted’).
  • [T1001] Data Obfuscation – Hides metadata in multipart/form-data and random junk fields during fallback exfiltration (‘random “junk” data and :: delimiters’).
  • [T1218.011] System Binary Proxy Execution: Rundll32 – Not mentioned in the article.
  • [T1218.010] System Binary Proxy Execution: Regsvr32 – Not mentioned in the article.
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Not mentioned in the article.
  • [T1205.001] Traffic Signaling: Port Knocking – Not mentioned in the article.
  • [T1210] Exploitation of Remote Services – Not mentioned in the article.
  • [T1115] Clipboard Data – Not mentioned in the article.

Indicators of Compromise

  • [Domains/Hosts] operator-controlled exfiltration and fallback infrastructure – justsstop[.]ru, 165.22.170[.]129
  • [URLs] Dead Drop Resolver and configuration sources – hxxps://api.telegra[.]ph/getPage/Hello-01-23-161, hxxps://write[.]as/api/posts/1nei1af6dnw8q, and other 2 URLs
  • [URL] configuration and C2 retrieval – hxxps://rentry[.]co/hwzrmfkx, hxxps://mastodon[.]social/api/v1/statuses/115942411657067215
  • [Domains] S3/cloud and resolution infrastructure referenced in the campaign – s3.tebi[.]io, s3.[VALUE].wasabisys[.]com, and other Tebi.io-related endpoints
  • [IP Addresses] operator and fallback network nodes – 165.22.170[.]129, and 115 other unique IPs observed in the campaign
  • [File/Registry Paths] staging and persistence locations – HKCU:PrintersYxwHku2chu0bznt3kkyAB, HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
  • [File/Registry Paths] registry-staged payload container and mutex – HKCUPrinters, Globalassembly307
  • [User-Agent Strings] fallback exfiltration disguise – Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 … Safari/604.1
  • [File Names/Artifacts] temporary execution and staged files – tmp[XXXX].tmp, Kjm19.dat, and the hidden staging folder named from the machine GUID prefix
  • [Cloud Services] infrastructure used for staging, exfiltration, or DDR – Tebi.io, Supabase, Telegram, Telegra.ph, Write.as, Mastodon, Rentry.co

Read more: https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint