Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked Gamaredon APT continues to target Ukraine

Russia-linked Gamaredon APT group targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad. Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad, Symantec warns. The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyber espionage campaign. Symantec and TrendMicro first discovered the Gamaredon […]

Gamaredon Ukraine

Russia-linked Gamaredon APT group targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad.

Russia-linked Gamaredon APT group (aka Shuckworm, ActiniumArmageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad, Symantec warns.

The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyber espionage campaign.

Symantec and TrendMicro first discovered the Gamaredon group in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine.

The recent wave of attacks began on July 15 and was ongoing as recently as August 8, 2022.

The attack chain starts with spear-phishing messages using a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Then the mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file.

“The downloading of the XML file onto victim networks was followed by the execution of a PowerShell stealer. We saw three versions of the same PowerShell stealer appear on the one system.” reads the analysis published by Symantec. “It’s possible the attackers may have deployed multiple versions of the stealer, which were all very similar, as an attempt to evade detection.”

Gamaredon Ukraine

The files were hosted on a subdomain known to be associated with Shuckworm activity since May 2022. The final payload deployed by the attackers is a PowerShell stealer malware dubbed GammaLoad.PS1_v2.

In some cases, attackers also delivered two backdoors named Giddome and Pterodo, which are known to be part of the Gamaredon arsenal.

Pterodo is a multistage Visual Basic Script (VBS) backdoor designed to collect sensitive information or maintain access to compromised machines. It is distributed in a spear-phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

The Giddome backdoor supports multiple capabilities, including recording audio, taking screenshots, logging keystrokes, and downloading and executing arbitrary executables onto the infected hosts.

Threat actors also used the legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk for remote access

“As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities.” concludes the report. “While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations.”

Symantec also shared Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]