Full Report
The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in January 2025. 1. Andariel The Andariel group has executed an attack using the RID Hijacking technique to escalate account privileges and create hidden accounts.[1] RID Hijacking involves manipulating the Security Account […]
Analysis Summary
# Threat Actor: Andariel
## Attribution & Identity
No specific attribution or aliases mentioned beyond the name Andariel.
## Activity Summary
Executed an attack involving privilege escalation through RID Hijacking to create hidden administrator accounts.
## Tactics, Techniques & Procedures
- **RID Hijacking:** Manipulating the Security Account Manager (SAM) database to change the Relative Identifier (RID) of a low-privilege account to that of an administrator account.
- Modifying specific offset values in SAM registry keys.
- Used PsExec for remote execution of malicious files.
- Created hidden accounts and added them to the Remote Desktop Users and Administrators groups.
- Deleted original accounts and re-registered the registry using extracted REG files.
## Targeting
- Sectors: Not explicitly detailed, but activity implies compromise of systems requiring administrative access.
- Geography: Not mentioned.
- Victims: Not mentioned.
## Tools & Infrastructure
- **Malware/Tools:** Custom-made malicious files, PsExec, CreateHiddenAccount (which utilizes the REGINI program).
- **Infrastructure:** Not mentioned.
## Implications
Focuses on sophisticated post-exploitation techniques to maintain persistence and elevate access using Windows internal mechanisms (SAM database manipulation).
## Mitigations
- Monitor and audit changes to the Security Account Manager (SAM) database and associated registry keys.
- Implement strict access controls to prevent remote execution via PsExec.
- Monitor for the creation of hidden accounts or accounts added to sensitive groups (Administrators, Remote Desktop Users).
---
# Threat Actor: Callisto (Star Blizzard)
## Attribution & Identity
Aliases: Star Blizzard.
## Activity Summary
Conducted spear-phishing attacks targeting WhatsApp accounts starting in mid-November 2024. This represented a deviation into using WhatsApp for initial compromise vectors.
## Tactics, Techniques & Procedures
- **Spear-phishing:** Initiated contact via email impersonating a U.S. government official.
- **QR Code Lure:** Used a QR code embedded in the initial email to invite targets to a fake WhatsApp group related to Ukrainian NGO support.
- **Malicious Link:** Sent a follow-up email containing a link to a fake WhatsApp web portal to steal messages and data.
## Targeting
- Sectors: Government, Diplomacy, Research (specifically researchers on Russian defense policies).
- Geography: Individuals involved in supporting Ukraine.
- Victims: Government and diplomatic officials, researchers.
## Tools & Infrastructure
- **Malware/Tools:** Fake WhatsApp web portal (for credential/data harvesting).
- **Infrastructure:** Email used for initial contact.
## Implications
Demonstrates adaptation by leveraging popular consumer communication platforms (WhatsApp) via social engineering (QR codes) to bypass traditional email security layers, specifically targeting politically sensitive profiles.
## Mitigations
- Caution regarding unsolicited QR codes received via email, especially when related to sensitive topics.
- Strict validation procedures for communications purporting to originate from government or diplomatic sources.
- Employee awareness training on advanced social engineering tactics utilizing messaging applications.
---
# Threat Actor: GamaCopy
## Attribution & Identity
Imitates the Gamaredon group for false attribution.
## Activity Summary
Carried out continuous attacks targeting Russian defense and critical infrastructure, masquerading as the Gamaredon group.
## Tactics, Techniques & Procedures
- **Impersonation/False Flag:** Mimics Gamaredon's attack structure but uses distinct technical markers.
- **Bait:** Utilized documents related to Russian Ministry of Defense policies and internal orders from major Russian companies.
- **Delivery:** Distributed malicious payloads via 7z-SFX (Self-Extracting Program) files.
- **Evasion:** Used the open-source remote desktop tool UltraVNC, disguising process names to evade detection.
- **Distinguishing Features vs. Gamaredon:**
- Employs 7Zip SFX files instead of Gamaredon's typical macros/VBS scripts.
- Uses obfuscated delayed variables.
- Communicates over port 443 (Gamaredon typically uses 5612).
- Uses Russian-language documents as bait (Gamaredon uses Ukrainian-language documents).
## Targeting
- Sectors: Russian defense and critical infrastructure.
- Geography: Russia.
- Victims: Organizations related to Russian defense and major Russian companies.
## Tools & Infrastructure
- **Malware/Tools:** 7z-SFX files, UltraVNC (open-source RDP tool).
- **Infrastructure:** C2 communication over TCP/UDP port 443.
## Implications
GamaCopy represents a sophisticated threat that actively attempts to complicate forensic attribution by adopting the TTPs of another known group (Gamaredon) while strategically differentiating key technical indicators (delivery mechanism, ports, language). This hinders rapid identification and response.
## Mitigations
- Implement application control to restrict the execution of unknown 7z-SFX archives.
- Monitor network traffic for unusual process usage of legitimate tools like UltraVNC outside of standard administrative protocols.
- Establish clear indicators of compromise (IOCs) to differentiate between Gamaredon and GamaCopy based on port usage (443 vs 5612) and file types (SFX vs macro).
- Behavior analysis focusing on process lineage and obfuscation techniques, regardless of the file type initially delivered.