Gamaredon Group
Associated Group Descriptions |
|
Name | Description |
---|---|
ACTINIUM | (Citation: Microsoft Actinium February 2022) |
DEV-0157 | (Citation: Microsoft Actinium February 2022) |
Aqua Blizzard | (Citation: Microsoft Threat Actor Naming July 2023) |
IRON TILDEN | (Citation: Secureworks IRON TILDEN Profile) |
Armageddon | (Citation: Symantec Shuckworm January 2022) |
Shuckworm | (Citation: Symantec Shuckworm January 2022) |
Primitive Bear | (Citation: Unit 42 Gamaredon February 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Gamaredon Group has registered multiple domains to facilitate payload staging and C2.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022) |
.003 | Acquire Infrastructure: Virtual Private Server |
Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.(Citation: unit42_gamaredon_dec2022) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Gamaredon Group has used HTTP and HTTPS for C2 communications.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Gamaredon Group has used obfuscated PowerShell scripts for staging.(Citation: Microsoft Actinium February 2022) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Secureworks IRON TILDEN Profile) |
||
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.(Citation: CERT-EE Gamaredon January 2021) |
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
Gamaredon Group has used tools to delete files and folders from victims' desktops and profiles.(Citation: CERT-EE Gamaredon January 2021) |
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Gamaredon Group has used |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Gamaredon Group tools can delete files used during an operation.(Citation: TrendMicro Gamaredon April 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021) |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Gamaredon Group malware can insert malicious macros into documents using a |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Gamaredon Group has used legitimate process names to hide malware including |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Gamaredon Group has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020) |
.004 | Obfuscated Files or Information: Compile After Delivery |
Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
||
.010 | Obfuscated Files or Information: Command Obfuscation |
Gamaredon Group has used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Gamaredon Group has used various legitimate tools, such as `mshta.exe` and Reg, and services during operations.(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1021 | .005 | Remote Services: VNC |
Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: unit42_gamaredon_dec2022) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Gamaredon Group has registered domains to stage payloads.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Gamaredon Group has used `mshta.exe` to execute malicious files.(Citation: Symantec Shuckworm January 2022)(Citation: unit42_gamaredon_dec2022) |
.011 | System Binary Proxy Execution: Rundll32 |
Gamaredon Group malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020) |
||
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.(Citation: unit42_gamaredon_dec2022) |
.002 | User Execution: Malicious File |
Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: unit42_gamaredon_dec2022) |
||
Enterprise | T1102 | .003 | Web Service: One-Way Communication |
Gamaredon Group has used Telegram Messenger content to discover the IP address for C2 communications.(Citation: unit42_gamaredon_dec2022) |
References
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
- Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
- Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.