Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023
Essential information
- Published
- 27/09/2024 17:15
- Modified
- 27/09/2024 17:46
- Tags
- 2024-09-27 apt backdoors stealers
- Related entities
- 50 observables, 1 intrusion sets (apt), 8 techniques (mitre), 23 malware, 6 others
Description
This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking.