Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia's Federal Security Service (FSB) Center 18.[6][5]
Associated Group Descriptions
| Name | Description |
|---|---|
| IRON TILDEN | |
| Primitive Bear | |
| ACTINIUM | |
| Armageddon | |
| Shuckworm | |
| DEV-0157 | |
| Aqua Blizzard |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.[10][11] |
|
| Enterprise | T1025 | 从可移动介质获取数据 |
A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.[1][3] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.[3] |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.[3] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Gamaredon Group has used legitimate process names to hide malware including |
| Enterprise | T1112 | 修改注册表 |
Gamaredon Group has removed security settings for VBA macro execution by changing registry values |
|
| Enterprise | T1534 | 内部鱼叉式钓鱼 |
Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.[3] |
|
| Enterprise | T1137 | 办公应用启动 |
Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the |
|
| Enterprise | T1568 | 动态解析 |
Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.[8] |
|
| .001 | Fast Flux DNS |
Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.[11] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.[2][3] Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.[11] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[2][3][10][11] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Gamaredon Group has used obfuscated PowerShell scripts for staging.[5] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[1][3][10][8] |
||
| .005 | 命令与脚本解释器: Visual Basic |
Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.[2][3][10][5][7] |
||
| Enterprise | T1120 | 外围设备发现 |
Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.[1][3] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[3] |
| Enterprise | T1113 | 屏幕捕获 |
Gamaredon Group's malware can take screenshots of the compromised computer every minute.[3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Gamaredon Group has used HTTP and HTTPS for C2 communications.[1][2][3][4][10][8][11] |
| Enterprise | T1480 | 执行保护 |
Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.[11] |
|
| Enterprise | T1001 | 数据混淆 |
Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings.[11] |
|
| Enterprise | T1083 | 文件和目录发现 |
Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.[3][8] |
|
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
Gamaredon Group has registered domains to stage payloads.[5][8] |
| Enterprise | T1106 | 本机API |
Gamaredon Group malware has used |
|
| Enterprise | T1221 | 模板注入 |
Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.[12] Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.[2][3][10][5][8][7] |
|
| Enterprise | T1080 | 污染共享内容 |
Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.[3] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[3] |
|
| .001 | Binary Padding |
Gamaredon Group has obfuscated .NET executables by inserting junk code.[3] |
||
| .004 | Compile After Delivery |
Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
||
| .010 | Command Obfuscation |
Gamaredon Group has used obfuscated or encrypted scripts.[3][5] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.[11] |
| .002 | 用户执行: Malicious File |
Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.[2][3][4][10][5][8][7][11] |
||
| Enterprise | T1561 | .001 | 磁盘擦除: Disk Content Wipe |
Gamaredon Group has used tools to delete files and folders from victims' desktops and profiles.[10] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Gamaredon Group tools can delete files used during an operation.[2][4][10] |
| Enterprise | T1491 | .001 | 篡改: Internal Defacement |
Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.[10] |
| Enterprise | T1218 | .005 | 系统二进制代理执行: Mshta |
Gamaredon Group has used |
| .011 | 系统二进制代理执行: Rundll32 |
Gamaredon Group malware has used rundll32 to launch additional malicious components.[3] |
||
| Enterprise | T1082 | 系统信息发现 |
A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[1][2][10] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[1] |
|
| Enterprise | T1016 | .001 | 系统网络配置发现: Internet Connection Discovery |
Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as |
| Enterprise | T1102 | 网络服务 |
Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[3] |
|
| .003 | One-Way Communication |
Gamaredon Group has used Telegram Messenger content to discover the IP address for C2 communications.[11] |
||
| Enterprise | T1119 | 自动化收集 |
Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.[3] |
|
| Enterprise | T1020 | 自动化渗出 |
Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.[3] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
Gamaredon Group has registered multiple domains to facilitate payload staging and C2.[5][8] |
| .003 | 获取基础设施: Virtual Private Server |
Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.[11] |
||
| Enterprise | T1588 | .002 | 获取能力: Tool |
Gamaredon Group has used various legitimate tools, such as |
| Enterprise | T1105 | 输入工具传输 |
Gamaredon Group has downloaded additional malware and tools onto a compromised host.[1][2][3][5] For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.[11] |
|
| Enterprise | T1057 | 进程发现 |
Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.[4][8] |
|
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
Gamaredon Group malware can insert malicious macros into documents using a |
| Enterprise | T1021 | .005 | 远程服务: VNC |
Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.[4][5][8] |
| Enterprise | T1041 | 通过C2信道渗出 |
A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.[2][3][10][5][8][7][11] |
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
Gamaredon Group has used |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.[3][10][5][11] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0097 | Ping | [4] | 远程系统发现 |
| S0685 | PowerPunch | [5] | 命令与脚本解释器: PowerShell, 执行保护: Environmental Keying, 混淆文件或信息: Command Obfuscation, 输入工具传输 |
| S0147 | Pteranodon | [1][4][5][8][7] | 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 屏幕捕获, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Dynamic API Resolution, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Mshta, 虚拟化/沙盒规避, 输入工具传输, 通过C2信道渗出, 预定任务/作业: Scheduled Task |
| S0686 | QuietSieve | [5] | 从本地系统获取数据, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 系统网络配置发现: Internet Connection Discovery, 网络共享发现, 输入工具传输, 隐藏伪装: Hidden Window |
| S0075 | Reg | Gamaredon Group has used Reg to add Run keys to the Registry.[11] | 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表 |
References
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.
- Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.