FOCUS MODE
EXTRACT IOC
Threat Research

Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity

Securonix
Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity
This article explores the infrastructure patterns of two state-linked cyber threat groups based in Russia and China, focusing on Gamaredon and RedFoxtrot. It highlights their use of fast flux DNS techniques for operational stealth and the reuse of TLS certificates among others. Furthermore, it discusses the implications of these patterns for cybersecurity defenses. Affected: Gamaredon, RedFoxtrot, Russian government, Ukrainian government, Western government entities, African government entities, NATO member states

Keypoints :

  • Hunt.io identifies infrastructure associated with state-sponsored threat actions from Russia and China.
  • Gamaredon utilizes fast flux DNS techniques to obscure their identity and maintain operations since 2013.
  • Fast flux DNS allows rapid IP address rotations, complicating threat attribution and takedowns.
  • Gamaredon has targeted Ukrainian governmental and civil organizations as well as Western entities.
  • Research highlights the significance of shared TLS certificates among threat actor infrastructures.
  • RedFoxtrot is linked to server clusters sharing characteristics identified through specific TLS certificates.
  • ShadowPad, a modular backdoor, is identified within a cluster attributed to RedFoxtrot.
  • Indicators of Compromise (IOCs), including suspicious domains and IP addresses, have been compiled for further analysis.

MITRE Techniques :

  • T1071 – Application Layer Protocol: Used by Gamaredon to disguise traffic by operating over common application layer protocols.
  • T1063 – Remote Access Software: ShadowPad acts as remote access software allowing persistence and internal network access.
  • T1560 – Archive Collected Data: Usage of ZIP archives containing malware for delivery at defined IP addresses.
  • T1583 – Acquire Infrastructure: The groups purchase domain names and rent servers from popular VPS providers for their operations.

Indicator of Compromise :

  • [IP Address] 159.203.2.177
  • [Domain] innocentmillions.ru
  • [IP Address] 45.77.33.174
  • [Domain] update.updatemic.com
  • [SHA-256] 7ad3331be038b43c1a19066f1e4edbe85dfb08596d70774a5e15480394626d39

Full Story: https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad

Views: 40

Tags: DISCOVERY, BOTNET, WORM, PHISHING, PERSISTENCE, RUSSIA, GOVERNMENT, WINDOWS