Gamaredon Group

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. [1]

ID: G0047
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1025Data from Removable MediaA Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelA Gamaredon Group file stealer transfers collected files to a hardcoded C2 server.[1]
EnterpriseT1120Peripheral Device DiscoveryGamaredon Group tools contained an application to check performance of USB flash drives.[1]
EnterpriseT1105Remote File CopyTools used by Gamaredon Group are capable of downloading and executing additional payloads.[1]
EnterpriseT1064ScriptingGamaredon Group has used various batch scripts to establish C2, download additional files, and conduct other functions.[1]
EnterpriseT1071Standard Application Layer ProtocolA Gamaredon Group file stealer can communicate over HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryA Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[1]
EnterpriseT1033System Owner/User DiscoveryA Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[1]

Software

IDNameReferencesTechniques
S0147Pteranodon[1]Command-Line Interface, Data Staged, Exfiltration Over Command and Control Channel, File and Directory Discovery, File Deletion, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Scheduled Task, Screen Capture, Standard Application Layer Protocol

References