CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics Following Initial Compromise

18-07-2023
Share
CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics Following Initial Compromise

The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise.

Gamaredon, also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers.

It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconnaissance and execute additional commands.

The messages typically come bearing an archive containing an HTM or HTA file that, when opened, activates the attack sequence.

Data Exfiltration

According to CERT-UA, GammaSteel is used to exfiltrate files matching a specific set of extensions – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb – within a time period of 30 to 50 minutes.

The group has also been observed consistently evolving its tactics, making use of USB infection techniques for propagation. A host operating in a compromised state for a week could have anywhere between 80 to 120 malicious files, the agency noted.

Also significant is the threat actor’s use of AnyDesk software for interactive remote access, PowerShell scripts for session hijacking to bypass two-factor authentication (2FA), and Telegram and Telegraph for fetching the command-and-control (C2) server information.

 

Source: https://thehackernews.com/