Notorious Russian hacking group uses a new tool against Ukraine orgs, researchers say

A prominent Russian government-linked hacking group is using a previously unseen information stealer to exfiltrate files of interest from Ukrainian victims, according to a new report from Cisco.

Asheer Malhotra and Guilherme Venere — security researchers with Cisco Talos — said they identified the campaign as recently as August and involves a custom-made malware designed to steal specific data and deploy additional payloads to infected devices. Researchers attributed the campaign to a group known as Gamaredon, which is linked to the Russian Federal Security Service and has a long history of cyberattacks against Ukraine.

“This is a new infostealer that Gamaredon has not previously used in other campaigns,” the researchers wrote. “We suspect it may be a component of Gamaredon’s ‘Giddome'’ backdoor family, but we are unable to confirm that at this time.”

The malware is typically spread through malicious LNK files in phishing emails related to the war in Ukraine. The malicious LNK files come contained in compressed archives called RAR archives and typically are the only files in the archives.  

The LNK files and Microsoft Office document names contain references pertinent to the Russian invasion of Ukraine.


Image: CIsco Talos

LNK files are Windows shortcuts that have been used widely by cybercriminal groups behind malware like Emotet, QBot and Phorpiex, while state-backed groups from RussiaNorth Korea and elsewhere have also used them in several campaigns. 

The researchers told The Record that Gamaredon is widely known to target government entities in Ukraine and was involved in the offensive actions that took place ahead of Russia’s invasion of the country in February. 

“Gamaredon is also conducting similar operations, however, these intrusions deliver long-term tactical machinery for espionage such as customized backdoors and infostealers,” the researchers explained.  

“This campaign is supported by stealth mechanisms such as geo-fencing infrastructure to targets in Ukraine to reduce footprints, improve precision and make tracking and analysis of their operations more difficult.”

The researchers added that the recent campaign involves the use of multiple layers of PowerShell- and VB Script-based malware that work to deliver “a multitude of backdoors and infostealers.”

The malicious Microsoft Office documents delivered in the initial phishing emails were seen during attacks on several Ukrainian entities. The Ukraine Computer Emergency Response Team (CERT-UA) recently released its own report attributing a spate of recent attacks to Gamaredon.

The malware collects data fromt he victim’s device and sends it back to a remote server while also providing the hackers with continued access to the infected endpoint.

The researchers told The Record that the increase in diversity of malicious artifacts used by Gamaredon lately is significant. 

“Over the last couple of years or so we have seen a steady increase in reliance on script based malware acting as precursors and stagers to Gamaredons final implants,” the researchers said. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.