Full Report
The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop. The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 that's designed to drop the Visual Basic Script malware, Recorded Future's Insikt Group said in a new analysis.
Analysis Summary
# Threat Actor: BlueAlpha (Gamaredon)
## Attribution & Identity
* **Primary Identification:** BlueAlpha.
* **Known Aliases:** Gamaredon, Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.
* **Attribution:** Believed to be affiliated with Russia's Federal Security Service (FSB).
* **Activity Span:** Believed active since 2014.
## Activity Summary
BlueAlpha has been observed conducting an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024. This campaign utilizes HTML smuggling to deliver malicious payloads, ultimately deploying the GammaDrop malware. They exhibit tradecraft characterized as reckless but persistent, focusing on maintaining access through multiple simultaneous backdoors rather than deep stealth.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails bearing HTML attachments leveraging **HTML smuggling** (embedded JavaScript code).
* **Execution/Dropping:** HTML attachments drop a 7-Zip archive containing a malicious LNK file, which executes using `mshta.exe` to deliver the GammaDrop HTA dropper.
* **Persistence/Staging:** Attempts to preserve access by deploying multiple simple downloaders or backdoors simultaneously. Uses **PteroDig** to weaponize LNK files in the Desktop folder for persistence.
* **C2 Evasion:** Abuses legitimate services like **Cloudflare Tunnels** to conceal staging infrastructure. Employs **DNS fast-fluxing** against GammaLoad C2 infrastructure to complicate tracking.
* **C2 Communications:** Uses **DNS-over-HTTPS (DoH)** (via Google and Cloudflare providers) to resolve C2 infrastructure when traditional DNS fails.
* **Data Theft:** Tools engineered to steal data from web browsers, email clients, and instant messaging apps (Signal, Telegram).
* **Lateral Movement:** Propagates malware via connected USB drives using **PteroLNK**.
* **Technique Mentioned:** DNS Fast Fluxing (MITRE ATT&CK ID: T1568/001, specifically T1568.001).
## Targeting
* **Sectors:** Not explicitly detailed beyond government/entities related to Ukraine, but the nature of the espionage suggests high-value organizational targets.
* **Geography:** Primary targeting focuses on **Ukraine**. Also targeted **NATO countries** including Bulgaria, Latvia, Lithuania, and Poland.
* **Victims:** Ukrainian entities.
## Tools & Infrastructure
* **Primary Malware/Stage:** GammaDrop (HTA dropper), GammaLoad (custom loader).
* **Toolset (Ptero-series):**
* Downloaders: PteroPSLoad, PteroX, PteroSand, PteroDash, PteroRisk, PteroPowder.
* Dropper: PteroCDrop (for VBScript payloads).
* Delivery/Utility: PteroClone (uses `rclone`).
* Persistence/USB: PteroLNK (USB), PteroDig (LNK files).
* Remote Access: PteroPShell, ReVBShell (remote shell).
* Exfiltration: PteroPSDoor, PteroVDoor (file system exfil), PteroScreen (screenshots), PteroSteal (browser credentials), PteroCookie (browser cookies), PteroSig (Signal data), PteroGram, PteroBleed (IM data from Chrome/Edge/Opera), PteroScout (info steal).
* Proxy: PteroSocks (partial SOCKS proxy).
* **Infrastructure (Defanged):** Staging server located behind a Cloudflare Tunnel hosted on the domain `amsterdam-sheet-veteran-aka[.]trycloudflare[.]com`.
## Implications
BlueAlpha continues to leverage widely adopted legitimate services (Cloudflare Tunnels, DoH) to obscure their command and control, escalating the difficulty for traditional security systems to detect and disrupt their operations. Their focus on HTML smuggling, DNS-based persistence, and continuous tooling iterations suggests they will remain an evolving challenge, particularly for organizations with limited advanced detection capabilities.
## Mitigations
* Implement robust security controls to detect and analyze complex **HTML Smuggling** techniques delivered via phishing emails.
* Monitor for and block unusual or unexpected usage of **Cloudflare Tunnels** originating from untrusted sources for malware staging.
* Enhance visibility into C2 communications by inspecting **DNS-over-HTTPS (DoH)** traffic where possible, and monitor for irregular DNS resolution patterns indicative of **DNS fast-fluxing**.
* Employ endpoint detection capabilities capable of recognizing and alerting on the behavior of common downloaders/droppers, especially those that leverage built-in Windows functionalities like `mshta.exe`.
* Implement strict policies regarding the use of removable media (USB drives) to prevent malware propagation via tools like PteroLNK.