The Computer Emergency Response Team (CERT-UA) of Ukraine has issued a warning regarding the rapid actions of the hackers known as Gamaredon.
They possess the ability to swiftly pilfer data from compromised systems within an hour of breaching them.
- Gamaredon, also known as Armageddon or UAC-0010, is a cyber team that has gained prominence in recent years.
- Shuckworm is another notable cyber team, primarily operating from Russia and believed to be financially supported by the state.
- Members of Shuckworm have been linked to the Russian Federal Security Service (FSB).
- It is reported that Shuckworm includes former officers from Ukraine’s Security Service (SSU) who defected to Russia in 2014.
Gamaredon team uses deceptive emails or messages on platforms like Telegram, WhatsApp, Signal to initiate attacks.
To accomplish the initial infection, they rely on the recipients unknowingly opening malicious attachments, cleverly disguised as Microsoft Word or Excel documents, but actually containing HTM, HTA, or LNK files.
Once the victim opens these deceptive attachments, PowerShell scripts and malware are executed on the targeted device, commonly referred to as the “GammaSteel.”
The functionality of the GammaSteel malware, as emphasized by CERT-UA, focuses on targeting files with specific extensions: .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb.
If the attackers have a vested interest in the documents stored on a victim’s computer, they can successfully pilfer them within a remarkably short span of 30 to 50 minutes.
Furthermore, according to CERT-UA, the Gamaredon hackers exhibit a pattern of installing up to 120 maliciously infected archives per week on compromised systems.
This tactic is employed to increase the likelihood of re-infection and further exploit the compromised environment.
Hackers from the Gamaredon group frequently complicate the task of defenders by frequently changing the IP addresses of command and control servers connected to intermediate victims.
They make these IP address changes approximately three to six times daily.
CERT-UA suggests blocking or restricting the unauthorized execution of mshta.exe, wscript.exe, cscript.exe, and powershell.exe to mitigate the impact of Gamaredon Russian hackers’ attacks.