The Russia-linked Gamaredon group tried to unsuccessfully break into a big petroleum refining firm inside a NATO member state earlier this 12 months amid the continued Russo-Ukrainian conflict.
The assault, which happened on August 30, 2022, is only one of a number of assaults orchestrated by the superior persistent risk (APT) that is attributed to Russia’s Federal Safety Service (FSB).
Gamaredon, additionally recognized by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a historical past of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to reap delicate knowledge.
“Because the battle has continued on the bottom and in our on-line world, Trident Ursa has been working as a devoted entry creator and intelligence gatherer,” Palo Alto Networks Unit 42 said in a report shared with The Hacker Information. “Trident Ursa stays probably the most pervasive, intrusive, constantly lively and centered APTs focusing on Ukraine.”
Unit 42’s continued monitoring of the group’s actions has uncovered greater than 500 new domains, 200 malware samples, and a number of shifts in its techniques over the previous 10 months in response to ever-changing and increasing priorities.
Past cyberattacks, the bigger safety neighborhood is alleged to have been on the receiving finish of threatening tweets from a purported Gamaredon affiliate, highlighting the intimidation strategies adopted by the adversary.
Different noteworthy strategies embody using Telegram pages to search for command-and-control (C2) servers and fast flux DNS to rotate by means of many IP addresses in a brief span of time to make IP-based denylisting and takedown efforts more durable.
The assaults themselves entail the supply of weaponized attachments embedded inside spear-phishing emails to deploy a VBScript backdoor on the compromised host that is able to establishing persistence and executing extra VBScript code equipped by the C2 server.
Gamaredon an infection chains have additionally been noticed leveraging geoblocking to restrict the assaults to particular places together with using dropper executables to launch next-stage VBScript payloads, which subsequently hook up with the C2 server to execute additional instructions.
The geoblocking mechanism capabilities as a safety blindspot because it reduces the visibility of the risk actor’s assaults outdoors of the focused international locations and makes its actions tougher to trace.
“Trident Ursa stays an agile and adaptive APT that doesn’t use overly refined or complicated strategies in its operations,” the researchers stated. “Typically, they depend on publicly obtainable instruments and scripts – together with a big quantity of obfuscation – in addition to routine phishing makes an attempt to efficiently execute their operations.”