The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country.
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013.
"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns."
GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.
The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."
Attack chains commence with spear-phishing emails carrying a RAR archive that, when opened, activates a lengthy sequence comprising five intermediate stages – an LNK file, an HTA file, and three VBScript files – that eventually culminate in the delivery of a PowerShell payload.
Information pertaining to the IP address of the command-and-control (C2) servers is posted in Telegram channels that are periodically rotated, corroborating a report from BlackBerry late last month.
All the analyzed VBScript droppers and PowerShell scripts, per SCPC, are variants of GammaLoad and GammaSteel malware, respectively, effectively permitting the adversary to exfiltrate sensitive information.
The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed details of a new malicious campaign targeting state authorities of Ukraine and Poland.
The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an attempt to trick visitors into downloading software that claims to detect infected computers.
However, upon launching the file – a Windows batch script named "Protector.bat" – it leads to the execution of a PowerShell script that's capable of capturing screenshots and harvesting files with 19 different extensions from the workstation.
CERT-UA has attributed the operation to a threat actor it calls UAC-0114, which is also known as Winter Vivern – an activity cluster that has in the past leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.
Russia's invasion of Ukraine in February 2022 has been complemented by targeted phishing campaigns, destructive malware strikes, and distributed denial-of-service (DDoS) attacks.
Cybersecurity firm Trellix said it observed a 20-fold surge in email-based cyber attacks on Ukraine's public and private sectors in the third week of November 2022, attributing a majority of the messages to Gamaredon.
Other malware families prominently disseminated via these campaigns consist of Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their own malware.
"As the Ukraine-Russia war continues, the cyber attacks on Ukraine energy, government and transportation, infrastructure, financial sector etc. are going on consistently," Trellix said. "In times of such panic and unrest, the attackers aim to capitalize on the distraction and stress of the victims to successfully exploit them."
Update
CERT-UA has designated the name Aperetif to the malware used by Winter Vivern, noting that its use started no later than May 25, 2022. It also assessed that the group "highly likely" includes Russian-speaking members.