A beforehand unknown menace actor has been noticed copying the tradecraft related to the Kremlin-aligned Gamaredon hacking group in its cyber assaults focusing on Russian-speaking entities.
The marketing campaign has been attributed to a menace cluster dubbed GamaCopy, which is assessed to share overlaps with one other hacking group named Core Werewolf, additionally tracked as Awaken Likho and PseudoGamaredon.
In keeping with the Knownsec 404 Superior Menace Intelligence workforce, the assaults leverage content material associated to army amenities as lures to drop UltraVNC, permitting menace actors to remotely entry the compromised hosts.
“The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine,” the corporate mentioned in a report revealed final week.
The disclosure arrives almost 4 months after Kaspersky revealed that Russian authorities businesses and industrial entities have been the goal of Core Werewolf, with the spear-phishing assaults paving the best way for the MeshCentral platform as a substitute of UltraVNC.
The place to begin of the assault chain mirrors the one detailed by the Russian cybersecurity firm whereby a self-extracting (SFX) archive file created utilizing 7-Zip acts as a conduit to drop next-stage payloads. This features a batch script that is answerable for delivering UltraVNC, whereas additionally displaying a decoy PDF doc.
The UltraVNC executable is given the identify “OneDrivers.exe” in a possible effort to evade detection by passing it off as a binary related to Microsoft OneDrive.
Knownsec 404 mentioned the exercise shares a number of similarities with Core Werewolf campaigns, together with utilizing 7z-SFX recordsdata to put in and execute UltraVNC, port 443 to hook up with the server, and the usage of the EnableDelayedExpansion command.
“Since its exposure, this organization has frequently mimicked the TTPs used by the Gararedon organization and cleverly used open-source tools as a shield to achieve its own goals while confusing the public,” the corporate mentioned.
GamaCopy is without doubt one of the many menace actors which have focused Russian organizations within the wake of the Russo-Ukrainian conflict, comparable to Sticky Werewolf (aka PhaseShifters), Enterprise Wolf, and Paper Werewolf.
“Teams like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for his or her relentless phishing campaigns aimed toward information theft,” Constructive Applied sciences’ Irina Zinovkina mentioned.
