October 3, 2023

Ukraine’s CERT-UA is warning that the Russia-linked APT group Gamaredon used to steal data from victims’ networks in less than an hour after the initial compromise.

The Gamaredon APT group active since 2014, continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations.

Since the Russian invasion of Ukraine, the cyber espionage group has carried out multiple campaigns against Ukrainian targets. CERT-UA has monitored Gamaredon operations and was able to gather intelligence on the APT’s TTP’s.

Advertisements

They use spear-phishing emails and messages as an initial attack vector. The cyberspies often use accounts that have been previously compromised and trick victims into opening malicious attachments disguised as office documents.

Once the document is opened by the victim, it will take between 30 and 50 minutes to steal data from the infected system.

The Russian threat actors were observed using malware like GammaSteel and PowerShell scripts to conduct reconnaissance and execute additional commands on the compromised machine.

The threat actors were observed planting as many as 120 malicious infected files per week on the compromised system, in some cases to maintain persistence and to allow re-infection in case of the disinfection process.

Advertisements

In other instances, threat actors installed Anydesk on the compromised computer to perform interactive remote access using PowerShell. 

Gamaredon takes specific measures to make their network infrastructure fault-tolerant and avoid detection. The group uses third-party services and/or resources of Telegram to determine the IP addresses of C2 and avoid using the DNS subsystem. 

Indicators of Compromise

  • AS207713 (@gir.network)
  • 45[.]82.13.86
  • 185[.]247.184.134
  • 195[.]133.88.34
  • 89[.]185.84.30
  • 185[.]39.204.183
  • 185[.]247.184.133
  • 89[.]23.107.203
  • 5[.]44.42.203
  • 89[.]185.84.140
  • 81[.]19.140.137
  • 5[.]44.42.198
  • 45[.]95.233.161
  • 89[.]185.84.130
  • 89[.]185.84.148
  • 89[.]185.84.142
  • 46[.]29.234.106
  • 185[.]247.184.136
  • 185[.]39.204.177
  • 89[.]185.84.138
  • 45[.]82.13.55
  • 185[.]39.204.189
  • 185[.]39.204.149
  • 5[.]44.42.204
  • 31[.]129.22.100
  • 89[.]185.84.143
  • 31[.]129.22.101
  • 194[.]87.45.101
  • 141[.]98.234.40
  • 45[.]82.13.60
  • 5[.]44.42.189
  • 31[.]129.22.89
  • 185[.]39.207.42
  • 141[.]98.234.134
  • 85[.]159.228.56
  • 194[.]87.45.111
  • 45[.]95.232.147
  • 89[.]23.108.95
  • 185[.]39.204.185
  • 31[.]129.22.99
  • 212[.]18.104.52
  • 193[.]228.128.94
  • 141[.]98.234.131
  • 45[.]95.233.145
  • 194[.]87.45.109
  • 31[.]129.22.95
  • 31[.]129.22.88
  • 194[.]87.45.108
  • 185[.]39.207.31
  • 31[.]129.22.102
  • 5[.]44.42.145
  • 31[.]129.22.98
  • 78[.]153.139.176
  • 185[.]39.207.38
  • 45[.]95.232.151
  • 141[.]98.234.135
  • 185[.]39.207.90
  • 46[.]29.234.99
  • 78[.]153.139.169
  • 5[.]44.42.130
  • 193[.]228.128.99
  • 185[.]39.204.161
  • 195[.]133.88.32
  • 5[.]44.42.137
  • 31[.]129.22.94
  • 185[.]39.204.192
  • 194[.]87.45.92
  • 185[.]247.184.120
  • 195[.]133.88.30
  • 89[.]185.84.141
  • 45[.]95.233.163
  • 185[.]247.184.127
  • 185[.]143.223.228
  • 89[.]23.108.97
  • 185[.]39.204.169
  • 78[.]153.139.151
  • 5[.]44.42.144
  • 185[.]247.184.130
  • 212[.]18.104.54
  • 195[.]133.88.31
  • 185[.]247.184.116
  • 89[.]23.108.123
  • 194[.]87.216.82
  • 212[.]18.104.38
  • 141[.]98.234.130
  • 185[.]247.184.115
  • 193[.]228.128.80
  • 185[.]39.204.162
  • 89[.]185.84.151
  • 194[.]87.45.104
  • 185[.]39.207.32
  • 185[.]143.223.230
  • 212[.]18.104.55
  • 185[.]39.207.33
  • 212[.]18.104.59
  • 193[.]228.128.76
  • 185[.]39.204.165
  • 185[.]39.204.191
  • 46[.]29.234.95
  • 45[.]95.232.102
  • 85[.]159.228.50
  • 89[.]185.84.128
  • 31[.]129.22.105
  • AS14061 (@digitalocean.com)
  • 143[.]198.55.82
  • 164[.]92.93.229
  • 159[.]223.80.72
  • 174[.]138.44.162
  • 24[.]199.102.96
  • 164[.]92.75.229
  • 147[.]182.246.254
  • 137[.]184.64.190
  • 144[.]126.223.47
  • 159[.]223.61.130
  • 188[.]166.243.219
  • 165[.]232.165.208
  • 104[.]248.152.19
  • 157[.]230.191.232
  • 147[.]182.252.149
  • 165[.]232.151.219
  • 134[.]209.219.191
  • 178[.]128.16.150
  • 146[.]190.136.109
  • 24[.]199.106.158
  • 167[.]172.65.196
  • 68[.]183.179.176
  • 146[.]190.134.41
  • 165[.]232.159.110
  • 68[.]183.191.122
  • 167[.]71.218.48
  • AS207651 (@vdsina.ru)
  • 77[.]246.111.45
  • 77[.]246.111.193
  • 91[.]201.114.233
  • 77[.]246.107.59
  • 77[.]246.107.190
  • 77[.]246.107.204
  • 109[.]234.36.95
  • AS212189 (@it-grad.kz)
  • 188[.]94.156.162
  • 188[.]94.155.77
  • 188[.]94.155.47
  • 188[.]94.156.165
  • 188[.]94.155.19
  • 188[.]94.156.185
  • 188[.]94.155.46
  • AS211211 (@it-develop.me)
  • 217[.]78.239.148
  • 217[.]78.239.71
  • 193[.]42.112.220
  • 193[.]42.112.28
  • 193[.]42.112.167
  • AS39798 (@mivocloud.com)
  • 194[.]180.191.30
Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: