A beforehand unknown menace actor has been noticed copying the tradecraft related to the Kremlin-aligned Gamaredon hacking group in its cyber assaults concentrating on Russian-speaking entities.
The marketing campaign has been attributed to a menace cluster dubbed GamaCopy, which is assessed to share overlaps with one other hacking group named Core Werewolf, additionally tracked as Awaken Likho and PseudoGamaredon.
In line with the Knownsec 404 Superior Risk Intelligence staff, the assaults leverage content material associated to navy amenities as lures to drop UltraVNC, permitting menace actors to remotely entry the compromised hosts.
“The TTP (Ways, Strategies, and Procedures) of this group imitates that of the Gamaredon group which conducts assaults in opposition to Ukraine,” the corporate mentioned in a report revealed final week.
The disclosure arrives practically 4 months after Kaspersky revealed that Russian authorities companies and industrial entities have been the goal of Core Werewolf, with the spear-phishing assaults paving the way in which for the MeshCentral platform as a substitute of UltraVNC.
The start line of the assault chain mirrors the one detailed by the Russian cybersecurity firm whereby a self-extracting (SFX) archive file created utilizing 7-Zip acts as a conduit to drop next-stage payloads. This features a batch script that is accountable for delivering UltraVNC, whereas additionally displaying a decoy PDF doc.
The UltraVNC executable is given the identify “OneDrivers.exe” in a probable effort to evade detection by passing it off as a binary related to Microsoft OneDrive.
Knownsec 404 mentioned the exercise shares a number of similarities with Core Werewolf campaigns, together with utilizing 7z-SFX information to put in and execute UltraVNC, port 443 to hook up with the server, and the usage of the EnableDelayedExpansion command.
“Since its publicity, this group has regularly mimicked the TTPs utilized by the Gararedon group and cleverly used open-source instruments as a defend to attain its personal targets whereas complicated the general public,” the corporate mentioned.
GamaCopy is without doubt one of the many menace actors which have focused Russian organizations within the wake of the Russo-Ukrainian battle, similar to Sticky Werewolf (aka PhaseShifters), Enterprise Wolf, and Paper Werewolf.
“Teams like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for his or her relentless phishing campaigns aimed toward information theft,” Optimistic Applied sciences’ Irina Zinovkina mentioned.