Cybersecurity researchers on Monday said they uncovered evidence of attempted attacks by a Russia-linked hacking operation targeting a Ukrainian entity in July 2021.
Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective known to be active since at least 2013.
In November 2021, Ukrainian intelligence agencies branded the group as a “special project” of Russia’s Federal Security Service (FSB), in addition to pointing fingers at it for carrying out over 5,000 cyberattacks against public authorities and critical infrastructure located in the country.
Gamaredon attacks typically originate with phishing emails that trick the recipients into installing a custom remote access trojan called Pterodo. Symantec disclosed that, between July 14, 2021 and August 18, 2021, the actor installed several variants of the backdoor as well as deployed additional scripts and tools.
“The attack chain began with a malicious document, likely sent via a phishing email, which was opened by the user of the infected machine,” the researchers said. The identity of the affected organization was not disclosed.
Towards the end of July, the adversary leveraged the implant to download and run an executable file that acted as a dropper for a VNC client before establishing connections with a remote command-and-control server under their control.
“This VNC client appears to be the ultimate payload for this attack,” the researchers noted, adding the installation was followed by accessing a number of documents ranging from job descriptions to sensitive company information on the compromised machine.
images from Hacker News