The Ukrainian Government’s Computer Emergency Response Team (CERT-UA) recently disclosed APT’s rapid data theft technique known as UAC-0010 (aka Armageddon, Gamaredon).
write new Recommendation According to CERT-UA announced on July 13, 2023, Gamaredon is made up of former Ukrainian Security Service (SBU) officers stationed in Crimea who defected in 2014 and began working for the Russian Federal Security Service. It is said that
Gamaredon’s primary purpose is cyber espionage against Ukrainian security forces, with evidence of sabotage against information infrastructure targets.
The group mainly infects government computers, especially within communication systems, and often uses various tactics such as compromised accounts and emails, telegrams, WhatsApp and Signal messages.
It also utilizes malware like GammaSteel to quickly extract files within 30-50 minutes, mainly focusing on documents with specific extensions.
After the initial infection, the victim’s computer may store 80-120 malicious files over a period of about a week, excluding files on removable media. Re-infection is more likely if infected files remain during the cleaning process.
Gamaredon’s preferred initial compromise method involves sending the victim an archive containing an HTM or HTA file that starts the infection chain.
This group relies heavily on PowerShell for document theft and remote command execution, and may install Anydesk for interactive remote access.
Anydesk Powered Attack Details: Daggerfly APT Targets African Telco With New MgBot Malware
To evade detection, Gamaredon uses PowerShell scripts to bypass two-factor authentication and frequently changes IP addresses, using continuous defensive measures.
The CERT-UA article provides a list of indicators of compromise (IoCs) to effectively detect Gamaredon.
Ukrainian military personnel are also advised to install endpoint detection and threat response (EDTR) software to minimize the risk of systems outside their protective perimeter, especially systems that use Starlink terminals for internet access. I am asking you to
The recommendation is based on research that Symantec released in June that suggested Gamaredon. Stepping up attacks on Ukraine From January to April 2023.
