The Russia-linked Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine last month amidst ongoing geopolitical tensions between the two countries.
Palo Alto Networks’ Unit 42 threat intelligence team, in a new report publicized on February 3, said that the phishing attack took place on January 19, adding it “mapped out three large clusters of their infrastructure used to support different phishing and malware purposes. “
Since 2013., the threat actor also called Shuckworm or Armageddon and Primitive Bear has historically targeted its cyberattacks against Ukrainian officials and organisations. Last year, Ukraine disclosed the collective’s ties to Russia’s Federal Security Service (FSB).
To carry out their phishing attack the attackers used a country-based job search platform and employment portal to upload the malware. The resume was a listing for active jobs related to the target entity.
“Given all the details and the precision of delivery, this could have been an intentional attempt by Gamaredon, to undermine this Western government agency,” researchers said.
Additionally, Unit 42 uncovered evidence of a Gamaredon campaign targeting the State Migration Service (SMS) of Ukraine on December 1, 2021, which used a Word document as a lure to install the open-source UltraVNC virtual network computing (VNC) software for maintaining remote access to infected computers.
Researchers found that
“Gamaredon actors take an unusual approach to maintaining and building their infrastructure.” “Most actors choose to discard domains after their use in a cyber campaign in order to distance themselves from any possible attribution. Gamaredon is different in their approach. They seem to reuse domains through the consistent rotation of them over new infrastructure. “
Taken together, the attack infrastructure spans across no fewer than 700 rogue domains, 215 IP addresses, and over 100 samples of malware, with the clusters used to host weaponized documents that are engineered to execute malicious code when opened and serve as command-and-control servers for its Pterodo (aka Pteranodon) remote access trojan.
The findings are less than a week following the disclosures by Broadcom-owned Symantec about another attack that was orchestrated between July and August 2021 against an unidentified Ukrainian organisation to use the Pterodo RAT in post-exploitation activities.