Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia's Federal Security Service (FSB) Center 18.[6][5]

ID: G0047
Associated Groups: IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard
Contributors: ESET; Trend Micro Incorporated; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 3.1
Created: 31 May 2017
Last Modified: 23 September 2024

Associated Group Descriptions

Name Description
IRON TILDEN

[7]

Primitive Bear

[8]

ACTINIUM

[5]

Armageddon

[4]

Shuckworm

[4]

DEV-0157

[5]

Aqua Blizzard

[9]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Gamaredon Group has registered multiple domains to facilitate payload staging and C2.[5][8]

.003 Acquire Infrastructure: Virtual Private Server

Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.[10]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Gamaredon Group has used HTTP and HTTPS for C2 communications.[1][2][3][4][11][8][10]

Enterprise T1119 Automated Collection

Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.[3]

Enterprise T1020 Automated Exfiltration

Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[2][3][11][10]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gamaredon Group has used obfuscated PowerShell scripts for staging.[5]

.003 Command and Scripting Interpreter: Windows Command Shell

Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[1][3][11][8]

.005 Command and Scripting Interpreter: Visual Basic

Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.[2][3][11][5][7]

Enterprise T1005 Data from Local System

Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.[3]

Enterprise T1039 Data from Network Shared Drive

Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.[3]

Enterprise T1025 Data from Removable Media

A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.[1][3]

Enterprise T1001 Data Obfuscation

Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings.[10]

Enterprise T1491 .001 Defacement: Internal Defacement

Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.[11]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.[2][3] Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.[10]

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

Gamaredon Group has used tools to delete files and folders from victims' desktops and profiles.[11]

Enterprise T1568 Dynamic Resolution

Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.[8]

.001 Fast Flux DNS

Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.[10]

Enterprise T1480 Execution Guardrails

Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.[10]

Enterprise T1041 Exfiltration Over C2 Channel

A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[1]

Enterprise T1083 File and Directory Discovery

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.[3][8]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gamaredon Group has used hidcon to run batch files in a hidden console window.[8]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Gamaredon Group tools can delete files used during an operation.[2][4][11]

Enterprise T1105 Ingress Tool Transfer

Gamaredon Group has downloaded additional malware and tools onto a compromised host.[1][2][3][5] For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.[10]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[3]

Enterprise T1534 Internal Spearphishing

Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.[3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Gamaredon Group has used legitimate process names to hide malware including svchosst.[8]

Enterprise T1112 Modify Registry

Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.[3][11]

Enterprise T1106 Native API

Gamaredon Group malware has used CreateProcess to launch additional malicious components.[3]

Enterprise T1027 Obfuscated Files or Information

Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[3]

.001 Binary Padding

Gamaredon Group has obfuscated .NET executables by inserting junk code.[3]

.004 Compile After Delivery

Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.[3]

.010 Command Obfuscation

Gamaredon Group has used obfuscated or encrypted scripts.[3][5]

Enterprise T1588 .002 Obtain Capabilities: Tool

Gamaredon Group has used various legitimate tools, such as mshta.exe and Reg, and services during operations.[10]

Enterprise T1137 Office Application Startup

Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.[3]

Enterprise T1120 Peripheral Device Discovery

Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.[1][3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.[2][3][11][5][8][7][10]

Enterprise T1057 Process Discovery

Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.[4][8]

Enterprise T1021 .005 Remote Services: VNC

Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.[4][5][8]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.[3][11][5][10]

Enterprise T1113 Screen Capture

Gamaredon Group's malware can take screenshots of the compromised computer every minute.[3]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Gamaredon Group has registered domains to stage payloads.[5][8]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Gamaredon Group has used mshta.exe to execute malicious files.[4][10]

.011 System Binary Proxy Execution: Rundll32

Gamaredon Group malware has used rundll32 to launch additional malicious components.[3]

Enterprise T1082 System Information Discovery

A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[1][2][11]

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.[4]

Enterprise T1033 System Owner/User Discovery

A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[1]

Enterprise T1080 Taint Shared Content

Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.[3]

Enterprise T1221 Template Injection

Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.[12] Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.[2][3][11][5][8][7]

Enterprise T1204 .001 User Execution: Malicious Link

Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.[10]

.002 User Execution: Malicious File

Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.[2][3][4][11][5][8][7][10]

Enterprise T1102 Web Service

Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[3]

.003 One-Way Communication

Gamaredon Group has used Telegram Messenger content to discover the IP address for C2 communications.[10]

Enterprise T1047 Windows Management Instrumentation

Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.[11][10]

Software

References