A western government entity in Ukraine was the target of Russian Gamaredon hackers
Short News:-
The Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine. The threat actor, also known as Shuckworm, Armageddon, or Primitive Bear, has historically targeted Ukrainian government officials. Russia's Federal Security Service was made aware of the collective's existence by Ukraine last year. Gamaredon is believed to have more than 700 rogue domains, 215 IP addresses, and more than 100 samples of malware. The clusters are used to host weaponized documents that are engineered to execute malicious code when opened. They also serve as command and control (C&C) servers for the group's remote access trojan, known as Pterodo.
Detailed News:-
At the height of ongoing geopolitical tensions between Russia and Ukraine, the Russia-affiliated Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine in late October.
Unit 42 of the Palo Alto Networks threat intelligence team reported on January 19 that a phishing attack had taken place and that it had "mapped out three large clusters of their infrastructure used to support different phishing and malware purposes." The report, which was published on February 3, stated that the phishing attack had taken place on January 19.
From 2013 to the present, the threat actor, also known as Shuckworm, Armageddon, or Primitive Bear, has historically targeted Ukrainian government officials and organizations with its offensive cyber attacks. Russia's Federal Security Service (FSB) was made aware of the collective's existence by Ukraine last year (FSB).
Additionally, Unit 42 discovered evidence of a Gamaredon campaign targeting the State Migration Service (SMS) of Ukraine on December 1, 2021, which used a Word document as a lure to install the open-source UltraVNC virtual network computing (VNC) software, which allows infected computers to maintain remote access to their hosts.
"When it comes to constructing and maintaining their infrastructure, Gamaredon actors take an unusual approach," the researchers wrote in their paper. "To avoid being linked to a cyber campaign, most actors choose to delete domain names after they have been used in it. This helps them avoid being identified as the perpetrators. Gamaredon's approach, on the other hand, is unique in that they appear to recycle their domains by rotating them across new infrastructure on a consistent basis."
It is estimated that the attack infrastructure encompasses no fewer than 700 rogue domains, 215 IP addresses, and more than 100 samples of malware. The clusters are used to host weaponized documents that are engineered to execute malicious code when opened and serve as command and control (C&C) servers for the group's remote access trojan, known as the Pterodo (aka Pteranodon).
In less than a week, Symantec, which is owned by Broadcom, revealed details of another attack orchestrated by the same group between July and August 2021 that targeted an unidentified Ukrainian organization in order to deploy the Pterodo reconnaissance and analysis tool (RAT) for use in post-exploitation operations.
In order to carry out the phishing attack, the campaign's operators used a job search and employment platform located within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing that was related to the targeted organization.
As the researchers noted, "Given the steps and precision delivery involved in this campaign, it appears that this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization."
Post a Comment
Your suggestions and comments are welcome