The Russian intelligence group Gamaredon, linked to the FSB’s 18th Center, is believed to be working with the newly identified threat actor InvisiMole.
Gamaredon, predominantly targeting Ukrainian government institutions, has recently attempted to breach targets in several NATO countries. While unsuccessful, these attempts indicate a potential expansion of their attack scope.
Its cyberattacks on Ukrainian machines increased significantly between November 2022 and December 2023, with daily additions peaking in the summer of 2023, which indicates a sustained and intensifying threat from Gamaredon to Ukrainian digital infrastructure.
It uses spearphishing to target new victims, then weaponizes Word documents and USB drives with custom malware. These compromised files are likely to be shared with other potential victims, expanding the attack’s reach.
Gamaredon, a reckless APT group, prioritizes maintaining access to compromised systems over stealth and avoiding detection by security products but is unconcerned about being discovered during their operations.
By using a brute force approach to maintain access by deploying multiple, basic downloaders and backdoors, it compensates for the simplicity of its tools by frequently updating and obfuscating them to avoid detection.
It has evolved its toolkit from SFX archives to VBScript and PowerShell, primarily focusing on data exfiltration from web applications, email clients, and messaging apps like Signal and Telegram, reflecting a more sophisticated approach to cyberespionage.
PteroBleed, a newly identified infostealer, targets sensitive data from a Ukrainian military system and a governmental webmail service, along with other tools released in 2022 and 2023, demonstrating a growing trend of cyberattacks targeting Ukrainian infrastructure.
Gamaredon leverages a diverse toolkit, including downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools to compromise systems. The group uses various methods to deliver and execute payloads, exfiltrate sensitive data, maintain persistence, and perform specific tasks.
It leverages fast flux DNS and frequent domain registration updates, primarily using .ru TLDs, to dynamically change its C&C server IP addresses and domains, thereby evading IP and domain-based blocking techniques.
According to ESET, it has also shown resourcefulness by using various techniques to avoid detection from networks, as they’ve used third-party services like Telegram, Cloudflare, and ngrok to hide their activities.
Despite its basic tools, it poses a persistent threat due to its aggressive tactics, which are likely to remain focused on Ukraine given the ongoing conflict in the region.