Select Page

An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defence, and law enforcement agencies with a piece of custom-made information stealing malware.

“The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine,” Cisco Talos researchers Asheer Malhotra and Guilherme Venere said in a technical write-up shared with The Hacker News. “LNK files, PowerShell, and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.”

Active since 2013, Gamaredon – also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa – has been linked to numerous attacks aimed at Ukrainian entities in the aftermath of Russia’s military invasion of Ukraine in late February 2022.

The targeted phishing operation, observed as recently as August 2022, also follows similar intrusions uncovered by Symantec last month involving the use of malware such as Giddome and Pterodo. The primary goal of these attacks is to establish long-term access for espionage and data theft.

It entails leveraging decoy Microsoft Word documents containing lures pertaining to the Russo-Ukrainian war that are distributed via email messages to infect targets. When opened, macros concealed within remote templates are executed to retrieve RAR containing LNK files.

images from Hacker News