CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

2023-07-17 05:17

The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise.

"As a vector of primary compromise, for the most part, emails and messages in messengers are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine said in an analysis of the group published last week.

The group is estimated to have infected thousands of government computers.

It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconnaissance and execute additional commands.

According to CERT-UA, GammaSteel is used to exfiltrate files matching a specific set of extensions -.

A host operating in a compromised state for a week could have anywhere between 80 to 120 malicious files, the agency noted.

News URL

https://thehackernews.com/2023/07/cert-ua-uncovers-gamaredons-rapid-data.html

#cert #compromise #exfiltration