Security News > 2022 > August > Russian hackers target Ukraine with default Word template hijacker
Threat analysts monitoring cyberattacks on Ukraine report that the operations of the notorious Russian state-backed hacking group 'Gamaredon' continue to heavily target the war-torn country.
Gamaredon is a group of Russian hackers believed to be part of the 18th Center of Information Security of the FSB, Russia's Federal Security Service.
The most recent infection vector involves phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an "Xsph.ru" subdomain associated with Gamaredon since May 2022.
The Russian hackers used VBS downloaders to fetch the Pterodo backdoor, one of Gamaredon's trademark tools, and in some cases, the Giddome backdoor.
Ukraine's computer emergency response team also reported on recent Gamaredon activity last week after spotting a new phishing campaign relying on HTM attachments sent from compromised email accounts.
An interesting tactic spotted by Ukraine's cybersecurity agency is Gamaredon's attempted modification of the "Normal.dotm" file on the host, using a specially crafted macro.
News URL
Related news
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine (source)
- Russian Sandworm hackers pose as hacktivists in water utility breaches (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)
- Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (source)
- Poland says Russian military hackers target its govt networks (source)
- Russian hackers use new Lunar malware to breach a European govt's agencies (source)