Russia-Linked Gamaredon Group Targets Ukraine with Remcos RAT: A Detailed Analysis

TL;DR

The Russia-linked Gamaredon group has launched a phishing campaign targeting Ukraine, using troop-related lures to deploy the Remcos RAT via PowerShell downloader. This campaign, active since November 2024, highlights the group’s ongoing cyber-espionage efforts against Ukrainian entities.

Russia-Linked Gamaredon Group Targets Ukraine with Remcos RAT

Researchers at Talos have issued a warning about a phishing campaign orchestrated by the Russia-linked Gamaredon group, also known as Armageddon, Primitive Bear, ACTINIUM, and Callisto. This cyberespionage group has been conducting spear-phishing attacks against Ukrainian entities and organizations related to Ukrainian affairs since at least 2014.

Phishing Campaign Details

The threat actor is employing troop-related lures to deploy the Remcos RAT via a PowerShell downloader. This campaign, active since November 2024, involves a PowerShell downloader that connects to geo-fenced servers in Russia and Germany to retrieve a ZIP file containing the Remcos backdoor.

According to the Talos report, the campaign targets users in Ukraine with malicious LNK files that execute a PowerShell downloader. The second-stage payload uses DLL side-loading to execute the Remcos payload. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group.

Technical Insights

The phishing campaign distributes LNK files compressed inside ZIP archives, often disguised as Office documents with names related to the military invasion. The threat actor likely sends phishing emails with either an attached ZIP file or a URL link pointing to the file hosted on a remote server.

The malicious LNK files, created on two machines, contain PowerShell code to download the next-stage payload and a decoy file to disguise the infection. The PowerShell code avoids antivirus detection by using Get-Command to execute the payload. Researchers observed that the servers only respond to requests from Ukraine, returning HTTP 403 errors for connections from Germany and Russia, suggesting a focus on Ukrainian victims.

Gamaredon PowerShell Code

Gamaredon typically employs custom scripts and tools but has recently been observed using the Remcos backdoor in their campaigns. The attack involves downloading a ZIP payload from servers, extracting it to the %TEMP% folder, and executing a seemingly clean application that loads a malicious DLL via DLL side-loading. This DLL acts as a loader, decrypting and executing the final Remcos payload from encrypted files within the ZIP.

The PowerShell scripts used to download the ZIP files indicate the abuse of legitimate applications for DLL side-loading and contain a mix of clean and malicious files. The report highlights that the sample downloaded by “Any.run” includes the clean application TivoDiag.exe and the malicious DLL mindclient.dll, which is loaded by TivoDiag.exe during execution.

Indicators of Compromise (IoCs)

The report includes Indicators of Compromise (IoCs) for this threat, along with Snort rules for its detection. These IoCs are crucial for cybersecurity professionals to identify and mitigate the threat posed by the Gamaredon group.

Conclusion

The ongoing phishing campaign by the Gamaredon group underscores the persistent cyber threat faced by Ukraine. By employing sophisticated tactics and tools, the group continues to target Ukrainian entities with precision. Cybersecurity professionals must remain vigilant and proactive in detecting and mitigating such threats to protect critical infrastructure and sensitive information.

Additional Resources

For further insights, check out the following resources:

• Gamaredon Targets Western Government Entity in Ukraine
• Gamaredon APT Group and LitterDrifter USB Campaign
• UK and US Expose Russia-Linked Callisto Group

Follow me on Twitter, Facebook, and Mastodon.

For more details, visit the full article: source

For more insights, follow Pierluigi Paganini on LinkedIn.