The Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine.
Last month Ukrainian government was hit with destructive malware, tracked as WhisperGate, and several Ukrainian government websites were defaced by exploiting a separate vulnerability in OctoberCMS.
A cluster of infrastructure has been aligned with this APT groups. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.
Usually once after a cyber attack threat actors that discard domains. But Gamaredon recycles their domains by consistently rotating them across new infrastructure.
The phishing attack leveraged a job search and employment platform in Ukraine where attackers uploaded their malware downloader in the form of a resume for an active job listing related to the targeted organization. A weaponized Word docs called (“Report on the LCA for June 2021 (Autosaved).doc.”) has been used as a lure to deliver the open-source UltraVNC virtual network computing software for maintaining remote access to infected computers.
One of the cluster used as C2 infrastructure for a custom remote administration tool called Pteranodon backdoor. This backdoor was continuously updated for years, with threat actors focusing the development on anti-detection functions. The malware allows the attackers to download and execute files, capture screenshots and execute arbitrary commands on compromised systems.
The Gamaredon group was first discovered in 2015, but evidence of its activities has been dated back to 2013. The group carried out over 5,000 cyberattacks against public authorities and critical infrastructure of Ukraine.