One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6908845 |
| Date de publication | 2022-09-15 08:02:21 (vue: 2022-09-15 13:06:09) |
| Titre | Gamaredon APT targets Ukrainian government agencies in new campaign |
| Texte |  By Asheer Malhotra and Guilherme Venere.Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers. Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. The adversary uses phishing emails to deliver Microsoft Office documents containing remote templates with malicious VBScript macros. These macros download and open RAR archives containing LNK files that subsequently download and activate the next-stage payload on the infected endpoint. We observed considerable overlap between the tactics, techniques and procedures (TTPs), malware artifacts and infrastructure used in this campaign and those used in a series of attacks the Ukraine Computer Emergency Response Team (CERT-UA) recently attributed to Gamaredon.We also observed intrusion attempts against several Ukrainian entities. Based on these observations and Gamaredon's operational history of almost exclusively targeting Ukraine, we assess that this latest campaign is almost certainly directly targeting entities based in Ukraine. Attack ChainInitial AccessGamaredon APT actors likely gained initial footholds into targeted networks through malicious Microsoft Office documents distributed via email. This is consistent with spear-phishing techniques common to this APT. Malicious VBS macros concealed within remote templates execute when the user opens the document. The macros download RAR archives containing LNK files. The naming convention of the RAR archives in this campaign follows a similar pattern:31.07.2022.rar04.08.2022.rar |
| Envoyé | Oui |
| Condensat | $env:include &&&&&&&&the /fgamaredon 129kuckuduk 138 178 2022 221/get 237 252 252/get 2vbswritten 60517 60539 about access accessgamaredon accessing activate activity actor actors acts adaptive added additional address addresses advanced adversary aforementioned after again against agencies aims alert all allow allows almost along also alternatively always amp analytics another any appdata appliance appliances apt archives are are:&&&&&&&& artifacts asheer assess assigned associated attached attack attacker attackers attacks attempt attempts attributed august authentication authorized automatically available avoid avoiding back backdoor base64 based been before begin below below:a between binaries binary blob block blocks both builds but calculated calculates campaign campaigns can capabilities capability capture captures celticso center cert certainly chain chaininitial character checks cisco click cmd code collected collects com comes command commands common communications complex component components compressed computer concealed conducted confirm connect connected connecting considerable consisted consistent consisting consists construct constructed contain containing contains content contents context continued control convention converted copied copies copy corporate created creates current currentversion custom customers dangerous data datawritten date decode decoded decoder decodes decrypted defense deliver depicting deploy deployed deploying described describing desired desktop detailed detect detects devices diagram different difficult directed directly directories directory discovered disk distributed dns doc docs document documents documents4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650lnk docx does doesn domain domains download downloading downloads drive drives drop dropping dual duo each earlier email emails emergency enable encode encoded encrypted endpoint endpoint: endpoints ensure entire entities enumerates enumeration env environment environmental espionage every example exclamation exclusively exe executables execute executed executes execution exfiltrate exfiltrated exfiltrates exfiltrating expected extended extension extensions factor family fetching file file:the filename files files581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd0278c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447a9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b78294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6abe79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e75264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbbff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a21ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84crar files750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3infostealer139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a filesprogram final finds firepower firewall first fixed flag flagpayload flashupdate focussing folder folders following follows footholds for format: formerly forms found four free from function function: gained gamaredon gammaload gammasteel gateway generates generation get gets giddome github global government grid guilherme half hardcoded has hash have heavy here history hkcu how htmlhxxp://a0705076 htmlhxxp://a0705581 http hxxp://a0704093 ideally identified identifies iex image implant implants includes including index indicating indications infected infection infects information infostealer infostealerone infrastructure ini initial inside instrumentor interest internet intrusion intrusions invasion ioc iocsthe ips isengard its jpeg jpg just keeps key known latest like likely linked list listed lnk lnks local localappdata locally:second location logs looking looks lookup lures machine machines macros made makes malhotra malicious malware management may md5 mdb m |
| Tags | Threat Malware |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.