Security News > 2022 > August > Russian hackers target Ukraine with default Word template hijacker
Threat analysts monitoring cyberattacks on Ukraine report that the operations of the notorious Russian state-backed hacking group 'Gamaredon' continue to heavily target the war-torn country.
Gamaredon is a group of Russian hackers believed to be part of the 18th Center of Information Security of the FSB, Russia's Federal Security Service.
The most recent infection vector involves phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an "Xsph.ru" subdomain associated with Gamaredon since May 2022.
The Russian hackers used VBS downloaders to fetch the Pterodo backdoor, one of Gamaredon's trademark tools, and in some cases, the Giddome backdoor.
Ukraine's computer emergency response team also reported on recent Gamaredon activity last week after spotting a new phishing campaign relying on HTM attachments sent from compromised email accounts.
An interesting tactic spotted by Ukraine's cybersecurity agency is Gamaredon's attempted modification of the "Normal.dotm" file on the host, using a specially crafted macro.
News URL
Related news
- Russian Turla hackers hit Starlink-connected devices in Ukraine (source)
- Russian cyber spies hide behind other hackers to target Ukraine (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- FSB Uses Trojan App to Monitor Russian Programmer Accused of Supporting Ukraine (source)
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)
- Russian ISP confirms Ukrainian hackers "destroyed" its network (source)
- How Russian hackers went after NGOs’ WhatsApp accounts (source)