Full Report
A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon.
Analysis Summary
# Threat Actor: GamaCopy
## Attribution & Identity
A previously unknown threat actor cluster dubbed **GamaCopy**. Assessed to share overlaps with the hacking group **Core Werewolf** (also tracked as Awaken Likho and PseudoGamaredon). The actor imitates the tradecraft of the Kremlin-aligned group **Gamaredon**.
## Activity Summary
GamaCopy is engaged in cyber espionage attacks notably targeting Russian-speaking entities. The campaigns leverage content related to military facilities as lures to deliver remote access tooling. The attack chain mirrors aspects seen in Core Werewolf campaigns, utilizing 7-Zip SFX archives to drop payloads.
## Tactics, Techniques & Procedures
- Initial access/delivery via **self-extracting (SFX) archive file created using 7-Zip**.
- A **batch script** is executed to deliver the primary payload and display a decoy PDF document.
- Deployment of **UltraVNC** for remote access.
- Remote access executable (UltraVNC) renamed to process name **"OneDrivers.exe"** to mimic a Microsoft OneDrive binary for potential evasion.
- Utilizes **port 443** for communication with the command and control server.
- Use of the `EnableDelayedExpansion` command in batch scripting, similar to Core Werewolf.
## Targeting
- Sectors: Not explicitly listed beyond general "Russian-speaking entities."
- Geography: Implied focus on **Russian entities** or regions where Russian entities operate.
- Victims: Specific organizations are not named, but the victims are tied to entities targeted by adversary groups like Gamaredon and Core Werewolf (which targeted Russian government agencies and industrial entities, per contextual information).
## Tools & Infrastructure
- Malware families used: **UltraVNC** (used for C2/remote access).
- Infrastructure (C2, domains, IPs): Connection to the server is initiated over **port 443**.
## Implications
GamaCopy presents a significant threat due to its emulation of the well-known Gamaredon group's tactics, potentially confusing attribution efforts or leveraging established targeting profiles. The use of common remote access tools (UltraVNC) and defense evasion techniques (renaming executables) suggests an actor focused on establishing persistent, covert access for espionage purposes against Russian infrastructure.
## Mitigations
- Harden defenses against spear-phishing/delivery mechanisms utilizing **7z SFX archives**.
- Monitor network egress traffic, particularly on **port 443**, for unexpected outbound connections to non-standard peers or suspicious traffic patterns indicative of remote access tools like UltraVNC.
- Implement detection for known UltraVNC artifacts and behavioral anomalies associated with legitimate OneDrive processes (e.g., execution named "OneDrivers.exe").
- Review file creation logs for evidence of batch scripts deploying tooling following archive extraction.