Full Report
ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
**Identification:** Russia-aligned Advanced Persistent Threat (APT) group.
**Attribution:** Attributed by the Security Service of Ukraine (SSU) to the **18th Center of Information Security of the FSB**, operating out of occupied Crimea.
**Aliases and Associations:** Known to be active since at least 2013. Believed to collaborate with the threat actor **InvisiMole**.
## Activity Summary
Gamaredon is described as the most engaged APT group currently operating in Ukraine. Its activity level has remained consistent since before the February 2022 invasion, focusing on cyberespionage activities. The group has been observed compiling thousands of samples and developing/updating its toolset throughout 2022 and 2023. While predominantly focused on Ukraine, the group made attempts to compromise targets in NATO countries (Bulgaria, Latvia, Lithuania, and Poland) in April 2022 and February 2023, though success was not observed there. Between November 2022 and December 2023, over a thousand unique machines in Ukraine were attacked. The group often employs spearphishing campaigns and uses weaponized Word documents and USB drives for initial compromise and lateral movement. Unlike many APTs, Gamaredon is characterized as "noisy and reckless," not prioritizing stealth but focusing heavily on maintaining persistence.
## Tactics, Techniques & Procedures
- Spearphishing campaigns.
- Weaponizing Word documents and USB drives for initial access and propagation.
- Shifting toolset focus towards **VBScript and PowerShell** (almost entirely ditching SFX archives used previously).
- Frequent updating and use of **obfuscation tricks** to evade detection.
- Maintaining access by deploying **multiple simple downloaders or backdoors simultaneously**.
- Utilizing **Fast Flux DNS** to rapidly change Command and Control (C2) IP addresses (sometimes several times per day).
- Frequently registering and updating new C2 domains, primarily using the **.ru TLD**.
- Leveraging **third-party services** like Telegram, Cloudflare, and ngrok for evasion and C2 communication.
- **Tool Categories:** Downloaders, droppers (for VBScript payloads), weaponizers (modifying existing files or creating files on USBs), stealers (exfiltrating specific files), backdoors (remote shells), and ad hoc tools (e.g., reverse SOCKS proxy, payload delivery using `rclone`).
- New PowerShell tool development in 2023 focused on stealing data from web browsers, email clients, and instant messaging apps (Signal and Telegram).
- **MITRE ATT&CK IDs (Implicitly related techniques):** T1568/001 (Fast Flux DNS).
## Targeting
- **Sectors:** Primarily Ukrainian governmental institutions.
- **Geography:** Overwhelmingly focused on **Ukraine**. Minor observed attempts against NATO countries: Bulgaria, Latvia, Lithuania, and Poland.
- **Victims:** The majority of attacks are directed against **Ukrainian governmental institutions**.
## Tools & Infrastructure
- **Malware Families/Tools:** PteroBleed (loader), custom downloaders, droppers, stealers, backdoors.
- **Infrastructure:**
- C2 IP addresses changed frequently using Fast Flux DNS.
- C2 domains frequently registered, often using the **.ru** TLD.
- Leveraging third-party infrastructure: Telegram, Cloudflare, and ngrok for C2 and evasion.
## Implications
Gamaredon remains a persistent and aggressive threat due to its high operational tempo, willingness to deploy multiple persistence mechanisms, and continuous evolution of its toolset (especially regarding obfuscation and TTP shifts like favoring PowerShell/VBScript). Its operations are directly linked to the ongoing conflict in Ukraine, suggesting a sustained focus on Ukrainian government entities. The group's employment of fast-changing infrastructure makes network-based blocking difficult.
## Mitigations
- Implement robust defenses against spearphishing and address risks associated with shared USB drives.
- Employ advanced endpoint detection and response (EDR) capable of analyzing VBScript and PowerShell behavior, focusing on obfuscated code execution.
- Network monitoring focused on detecting anomalies related to the use of third-party services (Telegram, ngrok) for command and control.
- Implement measures to block domains registered with high frequency, particularly those using the .ru TLD associated with suspicious activity.
- Focus on detection capabilities against its specific custom toolset, leveraging threat intelligence updates.