Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Gamaredon. Show all posts
Ukraine
Gamaredon GammaPhish GammaWorm malware Russia Ukraine

Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware


The Russian Hacking group called Gamaredon has been linked to the constant hack of a WinRar bug to install a few malware strains aiming to propagate and steal data.

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server. The main goal is to fingerprint the host device and update the network settings in the registry via dead drop resolvers (DDRs), retrieve and launch arbitrary VBScript payloads from the C2 servers.

About the malware

“Gamaredon’s arsenal has undergone a significant transformation over the last decade, transitioning from Pteranodon custom-built framework into a fragmented and modular malware. Based on our observation, today’s Gamaredon capacities are characterised by a proliferation and a highly active development cycle of new malware variants,” said Sekoia

Payloads attacking VBS

One payload is a VBScript worm called GammaWorm that builds persistence through scheduled tasks and is built to hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code gotten from a C2 server.

To fix C2,  GammaWorm starts a GET request to the public Telegram channel. Via genuine platforms such as Telegram, hackers blend with regular traffic, escape getting caught, and launch long-term spying campaigns. GammaWorm also depends on NTFS Alternate Data Streams (ADS) tactics to hide its core modules.

Other malware strains

A different malware family deployed through GammaLoad is a modular information stealer called GammaSteel that stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option. According to Sekoia, the infection chain could be used to launch different malware strains like GammaWipe or GamaWiper, this depends on the hacker’s targets. 

"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first,” Sekoia said.

State-sponsored hackers involved

Russian state-sponsored actor Gamaredon associated with the official Federal Security Service (FSB) has a long history of targeting Ukraine and its government, critical infrastructures, military via spear-phishing emails that consist infected attachments in “booby-trapped RAR archives”, according to the Hacker News.

Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.

Read more »
Visual Basic Script
Cloudflare Tunnels Cyber Attacks Gamaredon GammaDrop malware Recorded Future spear-phishing Visual Basic Script

Hackers Exploit Cloudflare Tunnels and DNS Fast-Flux to Conceal GammaDrop Malware

 A notorious threat actor known as Gamaredon has been observed employing Cloudflare Tunnels to hide its malware staging infrastructure, facilitating the deployment of GammaDrop malware. This technique is part of a spear-phishing campaign actively targeting Ukrainian organizations since early 2024. 

Campaign Details and Tactics 

According to Recorded Future's Insikt Group, the primary goal of this campaign is to deliver Visual Basic Script malware. The group, monitored under the alias BlueAlpha, has also been identified by several other names, including:

  • Aqua Blizzard
  • Armageddon
  • Hive0051
  • Iron Tilden
  • Primitive Bear
  • Shuckworm
  • Trident Ursa
  • UAC-0010
  • UNC530
  • Winterflounder
Active since 2014, BlueAlpha is linked to Russia's Federal Security Service (FSB). "BlueAlpha has recently started using Cloudflare Tunnels to obscure staging infrastructure for GammaDrop, a tactic gaining traction among cybercriminal groups," noted Insikt Group. Additionally, the group continues to use DNS fast-fluxing to complicate the tracking and disruption of command-and-control (C2) communications. 
 
Recent Observations 

The use of Cloudflare Tunnels by Gamaredon was first reported in September 2024 by ESET, a Slovak cybersecurity firm, during attacks targeting Ukraine and NATO countries, including Bulgaria, Latvia, Lithuania, and Poland. ESET described BlueAlpha's methods as "reckless and not particularly stealth-focused," although the group employs measures to evade detection and maintain access to compromised systems. These include deploying multiple simple downloaders or backdoors and frequently updating their malware tools with regularly changing obfuscation techniques. 
 
Malware Deployment Process 

The phishing campaign uses HTML attachments to initiate infections via HTML smuggling. This technique embeds JavaScript code to deliver malicious payloads. Key steps include:
  • Phishing emails with HTML attachments drop a 7-Zip archive ("56-27-11875.rar") containing a malicious LNK file.
  • The LNK file exploits mshta.exe to deliver GammaDrop malware.
  • GammaDrop deploys a custom loader, GammaLoad, which connects to a C2 server to retrieve additional malware.
The GammaDrop malware is staged on a server behind a Cloudflare Tunnel, with the domain amsterdam-sheet-veteran-aka.trycloudflare[.]com serving as a staging point. GammaLoad uses DNS-over-HTTPS (DoH) services like Google and Cloudflare to resolve C2 infrastructure, employing fast-flux DNS methods as a fallback. 
 
Implications and Future Threats 

Recorded Future warns that BlueAlpha is likely to continue refining its evasion techniques by exploiting legitimate services like Cloudflare. This approach complicates detection for traditional security systems. The group's enhancements to HTML smuggling and DNS-based persistence highlight evolving challenges for organizations with limited threat detection capabilities. "Organizations must strengthen their defenses against phishing campaigns and adopt advanced threat detection strategies to mitigate risks posed by actors like BlueAlpha," the report concluded.
Read more »
Subscribe to: Posts (Atom)