U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Russia-linked Gamaredon targets Ukraine with Remcos RAT

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader. Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) targets Ukraine with a phishing campaign. The cyberespionage group is behind a long series of spear-phishing attacks targeting Ukrainian entities, and organizations related […]

Gamaredon Powershell

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.

Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) targets Ukraine with a phishing campaign. The cyberespionage group is behind a long series of spear-phishing attacks targeting Ukrainian entities, and organizations related to Ukrainian affairs. The APT group has been launching cyber-espionage campaigns against Ukraine since at least 2014.

The threat actor is using troop-related lures to deploy the Remcos RAT via PowerShell downloader.

The campaign has been active since at least November 2024, the PowerShell downloader connects to geo-fenced servers in Russia and Germany to retrieve a ZIP file with the Remcos backdoor.

“Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024.” reads the Talos report. “The second stage payload uses DLL side loading to execute the Remcos payload. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group.”

Threat actor distributes LNK files compressed inside ZIP archives as part of the recent phishing campaign, usually disguising the file as an Office document and uses names related to the military invasion.  

Gamaredon likely sends phishing e-mails with either an attached ZIP file or that contain a URL link pointing to the file hosted on a remote host.  

The malicious LNK files, created on two machines, contain PowerShell code to download the next stage payload and a decoy file to disguise the infection.

Gamaredon Powershell

The PowerShell code avoids antivirus detection by using Get-Command to execute the payload. The researchers noticed that the servers only responded to requests from Ukraine, while connections from Germany and Russia return HTTP 403 errors, possibly restricting access to Ukrainian victims. Evidence shows the servers were still hosting files for specific regions.

Gamaredon typically uses custom scripts and tools but has recently been observed employing the Remcos backdoor in their campaigns. The attack involves downloading a ZIP payload from servers, extracting it to the %TEMP% folder, and executing a seemingly clean application that loads a malicious DLL via DLL sideloading. This DLL acts as a loader, decrypting and executing the final Remcos payload from encrypted files within the ZIP.

The PowerShell scripts used to download the ZIP files suggest abuse of legitimate applications for DLL sideloading and contain a mix of clean and malicious files.

“We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution.” continues the report.

The report includes Indicators of Compromise (IoCs) for this threat along with Snort rules for its detection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)