Full Report
The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
Attributed as Russian hackers. The group displays unwavering tenacity despite having limited sophistication compared to other Russian state actors.
## Activity Summary
The article describes a recent campaign where the threat actor attacked a Western military mission using a malicious USB drive. This campaign exemplifies an effort to increase operational stealth and effectiveness, incorporating incremental but meaningful improvements in their TTPs.
## Tactics, Techniques & Procedures
- Initial infection vector via malicious external (removable) drive/USB using a shortcut file (`_files.lnk`).
- Persistence established by adding a new key to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.
- Exploiting Windows features: Storing the final PowerShell payload within the Windows Registry, split by functions (a PowerShell-based version of GammaSteel).
- Modifying the UserAssist Registry key to track infection origin.
- Using a heavily obfuscated script to drop and run files.
- **Command and Control (C2)**: Resolving server addresses using legitimate services and connecting to Cloudflare-protected URLs.
- Spreading mechanism: Infecting other removable and network drives using LNK files.
- **Defense Evasion**: Hiding certain folders and system files by modifying Registry keys.
- **Reconnaissance**: Using a PowerShell script to capture screenshots, gather information on installed AV tools, files, and running processes.
- **Data Exfiltration**: Stealing documents (.DOC, .PDF, .XLS, .TXT) from locations like Desktop, Documents, and Downloads.
- Data staging/preparation involves using `certutil.exe` to hash stolen files.
- Exfiltration methods include PowerShell web requests, or utilizing cURL over Tor if primary web requests fail.
- *Specific MITRE ATT&CK IDs were not provided in the text, only general descriptions of the actions.*
## Targeting
- **Sectors**: Western military mission (implied defense/government sector).
- **Geography**: Western networks (global scope implied by targeting Western targets).
- **Victims**: A Western military mission (specific organization name not provided).
## Tools & Infrastructure
- **Malware families used**: PowerShell-based version of GammaSteel.
- **Infrastructure**: Connecting to Cloudflare-protected URLs for C2 communications. Uses cURL over Tor for potential alternative data transfer path.
- **Defanged URLs/IPs**: N/A (Only mentioned Cloudflare-protected destinations and reliance on legitimate services for resolution).
## Implications
Gamaredon remains a persistent risk to Western networks, driven by tenacity. Their recent updates show improvements in operational stealth (e.g., obfuscation, payload storage in Registry, C2 methods) which elevate the risk posed by this group over time, despite their generally lower sophistication level among state-sponsored groups.
## Mitigations
- Monitor activity related to malicious shortcut (`.LNK`) files on removable media.
- Implement strict monitoring and detection for obfuscated scripts running from temporary locations or leveraged via WMI/PowerShell.
- Monitor for Registry modifications in UserAssist and Run keys for persistence mechanisms.
- Review network traffic for C2 communications directed at Cloudflare-protected domains.
- Harden systems against data exfiltration techniques involving PowerShell web requests or utilities like `certutil.exe` for file preparation.