Security News > 2022 > August > Russian hackers target Ukraine with default Word template hijacker
Threat analysts monitoring cyberattacks on Ukraine report that the operations of the notorious Russian state-backed hacking group 'Gamaredon' continue to heavily target the war-torn country.
Gamaredon is a group of Russian hackers believed to be part of the 18th Center of Information Security of the FSB, Russia's Federal Security Service.
The most recent infection vector involves phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an "Xsph.ru" subdomain associated with Gamaredon since May 2022.
The Russian hackers used VBS downloaders to fetch the Pterodo backdoor, one of Gamaredon's trademark tools, and in some cases, the Giddome backdoor.
Ukraine's computer emergency response team also reported on recent Gamaredon activity last week after spotting a new phishing campaign relying on HTM attachments sent from compromised email accounts.
An interesting tactic spotted by Ukraine's cybersecurity agency is Gamaredon's attempted modification of the "Normal.dotm" file on the host, using a specially crafted macro.
News URL
Related news
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)