Cisco Talos has uncovered an ongoing cyber marketing campaign by the Gamaredon menace actor group, concentrating on Ukrainian customers with malicious LNK recordsdata to ship the Remcos backdoor.
Lively since a minimum of November 2024, this marketing campaign employs spear-phishing techniques, leveraging themes associated to the Ukraine battle to lure victims into executing the malicious recordsdata.
The LNK recordsdata, disguised as Workplace paperwork, are distributed inside ZIP archives and carry filenames referencing troop actions and different war-related subjects in Russian or Ukrainian.
The assault begins with the execution of a PowerShell downloader embedded in the LNK file.
This downloader contacts geo-fenced servers positioned in Russia and Germany to retrieve a second-stage ZIP payload containing the Remcos backdoor.
The downloaded payload employs DLL sideloading strategies to execute the backdoor, a way that entails loading malicious DLLs by means of respectable purposes. This strategy permits attackers to bypass conventional detection mechanisms.
Subtle Supply Mechanisms
Gamaredon’s phishing emails doubtless embrace both direct attachments of the ZIP recordsdata or URLs redirecting victims to obtain them.
The marketing campaign’s filenames, resembling “Coordinates of enemy takeoffs for 8 days” or “Positions of the enemy west and southwest,” recommend a deliberate try to take advantage of delicate geopolitical themes.
Metadata evaluation signifies that solely two machines have been used to create these malicious shortcut recordsdata, according to Gamaredon’s operational patterns noticed in earlier campaigns.
The PowerShell scripts embedded within the LNK recordsdata use obfuscation strategies, resembling leveraging the Get-Command cmdlet, to evade antivirus detection. As soon as executed, these scripts obtain and extract the ZIP payload into the %TEMP% folder.
The payload consists of clear binaries that load malicious DLLs, which decrypt and execute the ultimate Remcos backdoor payload.
This backdoor is injected into Explorer.exe and communicates with command-and-control (C2) servers hosted on infrastructure based in Germany and Russia.
Focused Infrastructure and Indicators of Compromise
The marketing campaign’s C2 servers are hosted by Web Service Suppliers resembling GTHost and HyperHosting.
Notably, Gamaredon restricts entry to those servers primarily based on geographic location, limiting them to Ukrainian victims.
Reverse DNS information for a few of these servers reveal distinctive artifacts which have helped researchers determine further IP addresses related to this operation.
The Remcos backdoor itself gives attackers with strong capabilities for distant management, together with knowledge exfiltration and system manipulation.
Cisco Talos has noticed proof of fresh purposes like TivoDiag.exe being abused for DLL sideloading throughout this marketing campaign.
Gamaredon’s use of superior strategies resembling DLL sideloading, geo-fenced infrastructure, and thematic phishing underscores its persistence in concentrating on Ukraine amidst ongoing geopolitical tensions.
Organizations are suggested to stay vigilant in opposition to such threats by implementing strong endpoint safety, electronic mail safety measures, and community monitoring options.
IOCs for this menace might be present in our GitHub repository right here.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates!
