Technology NewsGamaredon Group Launches Cyberattacks Against Ukraine Using Telegram

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram


Jan 20, 2023Ravie LakshmananCyber War / Cyber Attack

Cyberattacks Against Ukraine

The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.

“The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload,” the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. “This kind of technique to infect target systems is new.”

Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults against Ukrainian entities since at least 2013.

Last month, Palo Alto Networks Unit 42 disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.

Attack chains mounted by the threat actor have employed legitimate Microsoft Office documents originating from Ukrainian government organizations as lures in spear-phishing emails to deliver malware capable of harvesting sensitive information.

These documents, when opened, load a malicious template from a remote source (a technique called remote template injection), effectively getting around the need to enable macros in order to breach target systems and propagate the infection.

The latest findings from BlackBerry demonstrate an evolution in the group’s tactics, wherein a hard-coded Telegram channel is used to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated to fly under the radar.

To that end, the remote template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP address specified in the Telegram channel to fetch the next-stage – a PowerShell script that, in turn, reaches out to a different IP address to obtain a PHP file.

This PHP file is tasked with contacting another Telegram channel to retrieve a third IP address that contains the final payload, which is an information-stealing malware that was previously revealed by Cisco Talos in September 2022.

It’s also worth pointing out that the heavily obfuscated VBA script is only delivered if the target’s IP address is located in Ukraine.

“The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out,” BlackBerry pointed out.

“The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine.”

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a destructive malware attack targeting the National News Agency of Ukraine to the Russia-linked Sandworm hacking group.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Please enter your comment!
Please enter your name here

Latest news

Windows 11 – the latest version of Microsoft stealthily and without our consent gives away our privacy

We have known for a long time that the currency nowadays is not money, but our data. ...

Sydney Man Sentenced for Blackmailing Optus Customers After Data Breach

Feb 08, 2023Ravie LakshmananCyber Crime / SMS Fraud A Sydney man has been sentenced to an 18-month Community Correction...

the electric car is not enough for climate goals

Two electric car manufacturers shed light on the depth of the problem with joint research. ...

Xiaomi has just launched a special edition Hello Kitty mobile, but you won’t be able to have it

Like almost all special editions, this new Xiaomi Civi 2 Hello Kitty Special Limited Edition will be confined...

Red Velvet White Chocolate Chip Cookies

This website may contain affiliate links and advertising so that we can provide recipes to you. Read my...

Intel Core i5-10400F 10th Generation Processor with 12MB Cache Memory 6 Cores 12 Threads and 3 Years Warranty (Comes with Fan Inside The Box)

Price: (as of - Details)Intel Core i5-10400F Processor (12M Cache, up to 4.30 GHz)10th Generation Intel Core...

Must read