Russian APT group Attack Ukrainian Military Using Spear-Phishing

Gamaredon is targeting Ukrainian military personnel with spear-phishing emails containing malicious XHTML attachments. When opened, these attachments execute obfuscated JavaScript code to download a malicious archive. 

It includes a LNK file that, when triggered, uses mshta.exe to execute a remote .tar archive hosted on TryCloudflare[.]com, which is designed to compromise the victims’ systems and potentially steal sensitive information.

Threat actors are exploiting TryCloudflare’s one-time tunnel feature to conceal malicious files and remotely access resources without detection, which involves distributing similar files widely, and the ongoing discovery of new samples suggests its continued activity. 

The inclusion of a 1-pixel remote image indicates that the threat actors are tracking victim interactions with the malicious files, likely to assess the campaign’s effectiveness.

Gamaredon, a Russian APT group, is actively targeting Ukraine with persistent cyber-espionage campaigns. Despite using relatively simple tools, its focused attacks on critical infrastructure, government institutions, and military targets have been successful. 

The group has a history of exploiting geopolitical tensions between Russia and Ukraine, employing techniques like DLL sideloading and malicious document distribution to compromise systems. Its ongoing activities pose a significant threat to Ukrainian cybersecurity.

Gamaredon Sample Observed in the Wild

It has launched a large-scale phishing campaign targeting Ukrainian entities, employing sophisticated tactics to lure victims into opening malicious attachments, which execute malicious activities on infected systems, demonstrating the group’s ongoing efforts to exploit the ongoing conflict. 

Cyble Research and Intelligence Labs has identified a spear-phishing campaign targeting Ukrainian military personnel, orchestrated by Gamaredon. The malicious email contains an XHTML attachment that, upon opening, executes several malicious activities on the infected system.

The Gamaredon campaign utilizes a spear-phishing email with a malicious XHTML attachment to deliver a RAR archive. Upon opening the attachment, the user is presented with a misleading message while the archive is silently extracted to the Downloads folder. 

XHTML file

The XHTML file contains obfuscated JavaScript code embedded within a `div` element that executes when the file is opened or interacted with, which is designed to evade detection and likely facilitates the execution of additional malware or malicious actions.

Attackers employed a multi-stage attack technique to target victims by concealing a Base64-encoded 7zip archive within a JavaScript script hosted on a compromised website. When a user visited the website, the script extracted the archive and saved it as a RAR file. 

Property of LNK File

The RAR file contained a malicious LNK file that, upon execution, used mshta.exe to launch a remote TAR file hosted on TryCloudflare, which likely contained malware designed to steal sensitive data from the victim’s system. 

By utilizing TryCloudflare, the attackers were able to bypass traditional detection methods and establish a covert channel for communication.

Gamaredon APT’s persistent targeting of Ukrainian military personnel involves spear-phishing emails with malicious XHTML attachments and obfuscated JavaScript payloads, which are hosted on TryCloudflare tunnels, demonstrating the group’s evolving tactics. 

To mitigate this threat, organizations should train users to recognize phishing attempts, implement email and anti-malware solutions, monitor for unusual network activity, use application whitelisting, and leverage threat intelligence to block malicious domains and resources.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here